WhitepaperStrategicsystem forrisk managementYour business technologists. Powering progress
Strategic system for       1. Introductionrisk managementModels and growth phases                                         ...
2. Strategy for risk management:developments in the conceptToday, risk management is not just a subject of interest to col...
2.2 Generations of risk management                   The exponential use of the Internet in the 1990s led to the large-sca...
The fourth growth phase, client-oriented, denotes     The fifth and final growth phase, business-                         ...
2.4 Process model                                                 Fig. 4. Nolan process model                             ...
3. Growth phases in data securityand risk managementAs already explained, there is a need for a more     Fig. 6. Applicati...
3.2 Process model                                       Use of this approach may encourage a dialogue between the differen...
4. Closing remarks                                                                       For some time now, risk managemen...
BibliographyAmoroso, E.G., Fundamentals of computer security technology, Englewood Cliffs, New Jersey,Prentice-Hall Intern...
About AtosAtos is an international information technologyservices company with annual 2011 proforma revenue of EUR 8.5 bil...
Upcoming SlideShare
Loading in …5

Atos whitepaper - Strategic system for risk management Models and growth phases


Published on

How do you defend your organization from the threats within and the threat without when it really counts?
Atos has just successfully provided secure IT services to the broad and diverse population comprising the Olympic and Paralympic family. So discover how Atos’ business technologists are using the Games experience to provide the same new “boundary-less” concept with security and transparency to businesses the world over.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Atos whitepaper - Strategic system for risk management Models and growth phases

  1. 1. WhitepaperStrategicsystem forrisk managementYour business technologists. Powering progress
  2. 2. Strategic system for 1. Introductionrisk managementModels and growth phases Then there is the experience that professionals What is the most appropriate system of data often know to report based on assessment that there are elements missing in the system security and risk management for a specific for internal control without having an objective reference framework. Thus the statement type of organisation and what is the desired ‘there is a need for a formalised methodology for risk assessment’ is misplaced for the small objective? We would like to share our baseline shopkeeper, but more obvious for a multinational bank. But the question, of course, is what device requirements with you. is appropriate for the type of organisation. Further experience is that organisations that are faced with the need to catch up, for example, by a sudden drastic escalation in external demands for compliance, often desperately aim for this new level without regard for the way to it. This leads to loss of support within the organisation and, at best, the mechanistic implementation of misunderstood procedures. The comparison with the high jumper is easy: if ‘the bar’ started at 1 metre, and the new target is 2 metres, it is better to achieve this goal by gradually going up from the ‘1 metre’ situation and not immediately set the bar at 2 metres. The structure of my article is as follows. Section 2 outlines developments in the concept of risk and control over recent decades. Section 3 goes into the models and growth phases in data security and risk management. Our closing remarks are included in Section 4. Dr. Abbas Shahim RE Dr. Abbas Shahim RE is a partner at Atos Consulting where he is in charge of practice in the area of IT risk management. He is also Using simple models, we outline the route to the desired objectives and the desired growth based associate professor and director of studies at the on a phased, natural growth path. This article is written against the background of a number of Free University and vice chairman of ISACA in experiences with which the reader is probably familiar. First and foremost, it appears to us that the the Netherlands. ‘board’ is going to make constantly higher demands for demonstrable compliance. That is a logical consequence of the changing legislation and regulations in this area. But the term ‘compliance’ is not really complete if no accepted reference framework is given. Following on from this we have noted that the board requires a reference framework in order also to be able to communicate externally over the system of control measures and their operation. Strategic system for risk management – Models and growth phases 3
  3. 3. 2. Strategy for risk management:developments in the conceptToday, risk management is not just a subject of interest to colleaguesbut of strategic importance for organisations and therefore requiresa renewed approach.Anyone who does not adequately control the The second aspect concerns customer specifications for (ICT) security. In practice it appears thatrisks associated with operational management clients mostly have high, fixed and comprehensive security requirements which, in most cases, arein this turbulent and continuously changing essential preconditions for concluding business-like service contracts. Security has become a knock-market, is simply not a serious business partner. out criterion in the selection of providers.Actually it is no longer acceptable to approachrisk management in the traditional way (i.e. The final aspect relates to the issues surrounding ‘compliance’ as a consequence of the changingdefensive conduct, technical approach) or to legislation and regulations. For this, organisations need to demonstrate with hard evidence that,regulate it in an ad hoc way. There is a major among other things, they are adequately managing the risks associated with ICT.need for a new approach applying strategic andstructural consideration to risk management The aforementioned developments have resulted in risk management having to develop rapidlyand the system for it. This section looks at a and in a refined way in recent years. This evolution has meant that the previously technical andmodel that is applied in practice in order to bring operational image of this crucial subject has now become a strategic issue. It is now the rule ratherorganisation of information communication than the exception for risk management to be on the agenda of senior management, and to betechnology (ICT) in line with the corporate regarded as an important element of operational management. It is therefore necessary that theobjectives, and to bring this up to the desired enhanced strategic image of risk management be defined more closely and given a higher profile.strategic level gradually and in a measurable way. For this, a more modern approach, as set out in Fig. 1, is a requirement to secure the three key factorsWe consider the thinking behind this approach in which together contribute to enhancing the added value of risk management.the following sections with the aim of achievingthis with risk management organisations so Firstly, the aims covered by risk management need to be separated from and subordinated tothat these are structured and managed based the business demands and aims. These will be appropriately linked to the vision and objectives ofon the corporate vision, set up and strategically the organisation.managed based on measurable results. Secondly, risk management should be routinely implemented according to a structured approach.2.1 Focus on risk management With this model system, clear, achievable milestones can be laid down with the associated stages and interim results.The increasing focus on risk management isa trend that is mainly the consequence of Finally, indicators should be defined to measure performance and to use as input for reporting on thethree key aspects. results achieved. Using these, risk management can be aimed for and corrected in a timely way so that the intended goals are pursued in a visible way.The first aspect is the continuing growth ofICT whereby this field has evolved into a fully- Figuur 1. Een modernere benadering van risk managementfledged industry which has now penetratedthe core of our information society. On the one Business requirements and aimshand, the explosive use of this new technologyin organisations has led to more efficient intimplementation of day-to-day activities resulting po Inin a great reliance on it. On the other hand, di g Risk management Risk management to ca t inuse of ICT has introduced new risks which ar System rsmust be mitigated by means of various types Stof measures. Vision & objectives Measuring of the organisation performance & reporting Systematic approach Toegevoegde strategische waarde Organisation4 Strategic system for risk management – Models and growth phases Strategic system for risk management – Models and growth phases 5
  4. 4. 2.2 Generations of risk management The exponential use of the Internet in the 1990s led to the large-scale adaptation of this medium Fig. 2 requires a method that offers the chance to are therefore focused on the technology with most resources spent on operations and management. by organisations, mainly for doing business and communicating with the outside world. Operating take into account the vision and objectives of the The project and service activities are carried out ad hoc and there are no formalised procedures,The evolution of risk management has processes were set up for Internet use. This way of working required the internal ICT structure to be organisation, outlines the steps for managing a cost estimates and planning for work. The available aids are not uniformly applied and the definedmanifested itself in four generations. As well connected to the non-secure Internet, whereby organisations were confronted with what were then systematic approach, and offers aids to achieve performance indicators are aimed only at technical performance.as rapid technological developments, each to some still unfamiliar risks, including hacking and viruses. It then became clear to organisations the intended goal and to display the resultsgeneration has focused on a different aspect that the infrastructure and other key operating properties (e.g. data) needed to be protected in a achieved. In this way it can be ensured that there The second growth phase, control, reflects the situation in which the role of the users appears differentwith intrinsic business value and with specific structured way against risks of various kinds. ICT security thereby attracted the attention of senior is an adequate risk management organisation compared to their role in the previous phase, the technology is under control and there is sufficientsecurity problems. When organisations started managers and found a place on their agenda. Consequently, the use of methods and standards that supervises the achieving and maintaining focus on aspects of controllability with the aim of efficient production. In this phase users start tousing computers in the 1960s, the main focus became popular as a routine approach to security. This then resulted primarily in the implementation of a balanced coordination between business make choices instead of passively following. Processes are reasonably controlled and documented,of suppliers was on processing power and of the Code voor Informatiebeveiliging (CIB) and Information Technology Infrastructure Library (ITIL). requirements and aims (demand) and the and are not customer-oriented. The ICT organisation is preoccupied with creating efficiency throughfunctionality. Hardware and software were only Security Management to meet the demands and requests made by business. technology in use (supply), and that initiates responsible planning and budget control. Operations and management make optimum use ofaccessible to individuals with special privileges. and monitors any actions required. We have available resources and focus on the process quality using standards. Project processes are replicableThey had access to centralised computer Awareness is now greater than ever that risk management is not only an ICT issue as was previously opted for a proven strategic model to shape and the responsibilities for the service activities are defined with an internal focus on costs andsystems which were located in physically secure the case in the past generations shown in Fig. 2. This subject has undergone an impressive evolution risk management as a crucial part of today’s efficiency among other things. In the control phase, the performance indicators are directed towardssurroundings. These systems were run using resulting in a move from technology to business-orientation. This is seen as logical and is actually progressive organisation, to plan requirements the scope of application of norms and standards.punchcards and produced printouts as a result a movement that is sincerely applauded by many. To most modern organisations, therefore, risk and wishes in a balanced way and demonstrablyof this batch processing. The computer systems management is regarded as an essential business aspect and is therefore incorporated in processes. to measure the performances achieved and to Fig. 3. The growth phases of ICT organisationsat that time were expensive and also vulnerable report at the correct aggregation level.to human error and environmental changes Due to this in some ways revolutionary change, a strategic dimension has been added to the way insuch as temperature. Centralised computer which organisations interpret risk management. Risk management has therefore acquired greater 2.3 Growth modelsystems were therefore located in an area with “Proactively contribute” Business-oriented significance and has become a fixed element of any go-ahead and risk-aware organisation. This has The high-level transformation of ICT organisationsrestricted access which was only granted to resulted in the dawn of a new era where risk management is seeing a clear strategic focus and was initially discussed in the late 1980s. Thisauthorised individuals. Security was a simple prioritisation and offers clear added value to the organisation. reorganisation and growth included thetask as, owing to the processing restrictions,and circumstances, it was not possible to fundamental reorientation of ICT related “Translate customer demands” Customer-orientedgain free access to computer resources. This Fig. 2. Generations of risk management products and services. The aim was to make thisoffered added value to business which did not innovative technology more adaptable formake such high demands (Amoroso, 1994). organisations so that it could meet demands “Define performance”Automation supported operating processes and and requests more flexibly in the long-term. Service-orientedtried to follow operating processes as closely A model was then used principally to facilitate Strategic Business valueas possible. growth of ICT organisations in an integral and dimension structured way so that the intended strategic “Efficient production”As hardware became smaller and cheaper Renewed approach and integration in processes level is achieved. Using this growth model it is Controland with the rapid development of network thereby possible to systematically create a a gradual, controlled transformation process. The “Guarantee availability”technology, in the 1970s and 1980s it becamepossible to access computer systems remotely Systematic ICT organisation can thereby be made approach Technology-drivenwith the result that the primitive physical sufficiently adaptable and be adequatelysecurity measures were inadequate. Batch Attention to structured method of working coordinated with the future direction andprocessing was enhanced by what is known objectives of the organisation. Any growth phaseas ‘multi-programming’ whereby computer of the model illustrated in Fig. 3 has its ownsystems were able to carry out a number of tasks Identification features, areas of interest and performance The third growth phase, service-oriented, represents the situation in which users fulfil a more activesimultaneously. This required controlled access & authentication indicators of which the most important are role, processes are not yet fully client-orientated and the focus is on short time-to-market (internalto programs and data stored on computer Focus on authorised access explained in brief. focus), and on delivering quality products and services, and production achieves a good price/qualitysystems. For this, initially Job Control Language ratio. Users are not just allowed to but do make choices as in the previous growth phase. These(JCL) was used to prevent unauthorised access The first growth phase, technology-driven, also determine the required and desired products and services to be supplied, and provide tangibleto data sets and hard drives. This security Physical symbolises the situation in which users follow form on this issue. The ICT organisation is well aware of the standard of products and services that itmeasure was adequate until it was made possible security business demands and wishes, there is little can supply and defines the required performances for the issue. Operations and management offerfor end users to type in their own commands Ad hoc measures formal attention to problems and modifications, quality services and are cost-effective processes. Project activities are thus such that the process canon the terminal linked to the computer system. and management is not affected by the still be implemented in the same way in an emergency situation and there is a basis for optimisingThe arrival of this interactive processing option Generation processes. The ICT organisation is interested in it. With regard to service activities, Service Level Agreements (SLAs) are concluded and the servicesintroduced new security challenges as the the technology and places emphasis on creating thereby focus more and more on the client. Performance indicators are not yet based on innovationinitiated processes competed with each other and maintaining the data supply. The processes but are mainly focused on processes whereby services can be measured using the agreed SLA’s, onfor resources and processing time. Identification the finances giving a better understanding of the cost/service ratio per SLA and in the encroachmentand authentication of end users behind per service area, and on the client whereby it can be measured to what extent requirements andthe terminal then attracted most attention. wishes are taken into account in the concluded SLAs.Separating their processes from those of others,protecting their data against unauthorised useand security of communication between theterminal and the computer system also becamerelevant problems to be fixed by implementingadequate security to offer business value.Operating processes are increasingly moduledaround the ICT options.6 Strategic system for risk management – Models and growth phases Strategic system for risk management – Models and growth phases 7
  5. 5. The fourth growth phase, client-oriented, denotes The fifth and final growth phase, business- the situation in which users play a prominent oriented, is the situation in which users occupy role, processes are client-oriented and focus on a dominant position, primary processes are self- short time-to-market (external focus). Users do explanatory and optimally set up, and constantly not just indicate which products and services are updated. The openness of management to be offered but have also taken ownership of and personnel over ‘lessons learned’ and the this. The ICT organisation makes arrangements willingness to apply this accumulated experience for the products and services to be provided is rewarded, and testing with different methods and is able, through its client-oriented processes, and approaches is encouraged. Users are to implement the set requirements and to not just the owner of the ICT products and anticipate the client’s wishes (reactive). The services, but also dictate developments in the account management process is defined so that ICT organisation. This organisation proactively a suitable, appropriate contact partner is present delivers added value to the client’s primary to ensure that the end result is in accordance process, continuously follows developments with the client’s expectations and specifications. in the subject and is able to implement radical The project activities are managed in such a changes. Project activities are enhanced by way as to achieve a noticeable improvement continuously adjusting them. In this phase the in quality. Service activities are carried out focus is on the coordination of the process in internally and externally so as to offer maximum contrast to the previous growth phase where ‘value for money’. Performance indicators from attention was mainly focused on optimising the previous growth phase can also be used for products and services. Service-oriented activities this growth phase. are in the nature of a partnership and are proactively directed towards the changing user organisation. Performance indicators for the Using this growth processes are based on optimum management of any overheads, and the finances focus on the model it is thereby cost/benefits of the ICT organisation. As regards the client, it is measured how this organisation possible to offers support. Blank indicators are also used to monitor the progression of process optimisation. systematically create a gradual, controlled transformation process.8 Strategic system for risk management – Models and growth phases Strategic system for risk management – Models and growth phases 9
  6. 6. 2.4 Process model Fig. 4. Nolan process model In Fig. 3 different growth phases are shown with the associated features and points of focus. Management & Organisation Using this, ICT organisations are able to determine the current and the target position so Management & Organisation that they can achieve any desired growth. Based on the vision and objectives, a route should be mapped which is used to specify how to pass from one growth phase to another. The well- known Nolan process model, the cloverleaf model, is used for this purpose and presents the aspects that should be in balance so that an Processes ICT infrastructure Effectiveness of effective ICT organisation can be discussed. The risk management process model is split into two parts, i.e.: supply Processes ICT infrastructure Effectiveness of and demand. The demand side reflects the risk management processes and their connection and emphasises the end users and their dominant culture which together form the demand side. In other words, the demand side, also known as the business side, stipulates the demands and wishes that must be met in order to be able to achieve the vision and objectives of the organisation. The supply side relates to the way in which ICT is managed and organised whereby special attention is given to policy, structure, planning, procedures and work instructions. This part also relates to Humans & Culture the infrastructure on which the actual ICT operations are carried out in order to be able to Humans & Culture deliver the required functionality. In other words, the supply side, also known as the ICT side, offers the support required and desired by the demand side in order to facilitate achieving the vision and objectives of the organisation. We have tailored the process model to the risk management organisation and illustrated it in Fig. 4. A self-assessment is carried out using the process Fig. 5. Plateau planning model Vision & model, the result of which provides a picture objectives of the phase in which the ICT organisation is Plateau N situated. Taking into consideration the vision and Vision & objectives objectives of the organisation the target phase Plateau N can be established after which a route to this desired position should be planned. Plateau plans Plateau I can be made for this, taking the Nolan process model as a basis and adapting it to go through Plateau I anticipated growth in a phased, controlled and balanced way. For any transformation it must be clear what indicators are to be met in order to reach a subsequent phase. These indicators are spread over the aspects of the process model on which the plateau planning per growth is Start plateau phased towards a subsequent phase. A graphic representation of this starting point is presented Start plateau in Fig. 5.10 Strategic system for risk management – Models and growth phases Strategic system for risk management – Models and growth phases 11
  7. 7. 3. Growth phases in data securityand risk managementAs already explained, there is a need for a more Fig. 6. Application of the growth phases to data security This phase is suitable for (parts of) organisations 3.1.4 Customer-oriented 3.1.5 Business-orientedmodern method for the strategic dimension of for which information and ICT are under control In this phase risk management is aimed at In this phase risk management is specificallyrisk management with the aim of making data and play a general supportive role to the primary added value and confidence in the entire sector, tailored to users of the services who aresecurity and risk management more adaptive. operating processes. It is not at the heart of chain or part of the company. There is talk of Business-oriented: regarded as the prominent client for whomUsing this new approach it should be possible to the organisation but appropriate care based consistency and ‘governance’. The conduct of Risk management is aimed at chains. a fixed contact is appropriate. In addition risktake the organisation’s vision and objectives as a “Chain management” Compliance is in accordance with legislation on norms and standards is desirable on which the organisation is proactive and is predictable management is organised for the benefit of thestarting point, apply a systematic approach, set and regulations. Performance-indicators performance indicators are based. The use of and transparent such that this trust in continuity focus on governance. client and the effectiveness of the operation ofthe desired goals in a phased and controlled way data and ICT is reasonably uniform: no major is guaranteed. The framework of standards for the security measures is made transparent toand demonstrate the achieved performances. risks should occur. this is mostly specifically developed or is often Client-oriented: the client. The client knows in advance whatIn our view the growth model and the process laid down in external, public standards or in “Demonstrate compliance” Client recognises risks. Risk management and the client-related risks are and formally registersmodel can adequately meet these requirements. Note that this phase is also very suitable for legislation and regulations. Compliance with this compliance is client-specific. Performance-indicators these. This registration normally takes place tailored to client-specific service and security agreement. situations in which organisations share data framework of standards is organised within the in the form of a security agreement in whichRisk management organisations may be in or ICT resources with each other, for example, sector. There is often an external regulator. agreement is reached. This client demands tovarious growth phases and aspiring to the Service-oriented: in a collaborative arrangement. Thus almost be informed by its contact over compliance withrequired change in order to achieve the intended “Risk analysis” Which risks pertain to the service. Risk management all multinationals have defined a basic level Naturally, banks and insurers belong in this is generic and is directed at the provider. the arrangements made and over the agreedgoals. This growing transformation requires of security for data and the ICT infrastructure phase. Regulation here is carried out by De Performance-indicators focus on general specific performance-indicators. ‘Separation ofa tool that balances supply and demand. The which the various units within the organisation Nederlandsche Bank (DNB), under the Financial service and SLA. duties’ and contrasting technical and regulatoryprocess model is adequate for achieving the share with each other. Supervision Act (Wet op het financieel toezicht duties are an integral part of this.required aspects for the desired balance and Control: - Wft). Listed companies are also expected toserves as a basis for gradually and systematically “Baseline” There must be a basic level. Do what is normal. Keep in step with others. Risk management is focused on measures. 3.1.3 Service-oriented Organisations with a more than average high be in this phase. The Code Tabaksblat (Dutchachieving the required and desired growth. corporate governance code) relating to sound Performance indicators based on norms and standards. The service-oriented phase is the first phase in risk belong in this phase. Examples of these “Incident-driven” which risk analysis plays a real part. There is an are certain parts of the administration and business management, the Sarbanes-Oxley3.1 Growth model Technology-driven: awareness of the risks to one’s own organisation organisations with a social role and significance; (SOx) legislation and regulation by the FinancialThe growth model is based on the ‘thinking in Non-formalised and technical management of ICT. Risk management associated with services or products. The risks organisations that have external liability and Markets Authority (FMA) are decisive here. is focused on dealing with incidents and providing good back-up.growth phases’ principle with the associated Performance-indicators focus on technology. are not specific to the purchaser of the services or organisations with major financial interests.features, focus areas and performance indicators. products but are generic and/or are concentrated Service providers to this type of organisationsDepending on the type of organisation and its on the provider organisation. An example is an also fit in this phase. Note that these servicevision and objectives, the model can also provide email service provider. General risks that this providers are willing to offer the service tailoreda better view of the most suitable system for provider must confront because otherwise it is to the client’s risk.data security. In our opinion, using the growth 3.1.1 Technology-driven 3.1.2 Control out of business relate to continuity andmodel, organisations can assess the current In this phase, data security is controlled based In this phase there is at least a basic level of data availability of the service. For some years now, To expand the example of the previous phase: aquality of the package of control measures and on incidents. If something goes wrong, repair security. This basic level may be accepted based virus detection has been added but more as a provider of email services should not just manageactivities, and whether this package is adequate, work is carried out. Whether a structural on an external standard, such as the Dutch Data service to the client than as a recognised risk. the general risks but also conduct an analysisinadequate or perhaps excessive for the type of improvement takes place depends on the Security Code (Code voor Informatiebeveiliging), based on the concluded security agreementorganisation. In addition, the model also shows individual professionalism of those following up or based on ‘gut instinct’. The vision of the This phase is suitable for organisations that into the client’s use of the email service. If, so towhat the next step may be to achieving the level the incident, often those who have been most organisation is that the importance of data and provide a general service with associated speak, stock orders are placed by email there areof ambition, if this has not yet been achieved. affected by it. There are ad hoc actions and ICT is such that there must be basic security, services for which an SLA is concluded. General then relevant risks over the identity of the senderWe would stress that the level of ambition must ‘what happened is just a glitch’. in line with what is customary for this type of ICT service providers, telecom providers and of the email, the confidentiality and integrity ofbe appropriate to the organisation. Specifically, organisation. The motto is ‘following in the steps’ other providers of general infrastructure belong the content, prompt delivery, etc. This providerthis means that the aim is not the maximum This phase is suitable for organisations who of others. Security is not so systematic but more to this phase. should also offer the associated securitygrowth phase but the phase that is best suited approach information and ICT from a technical measure-driven. There is no basis for action services and make the operation of theseto the organisation. Fig. 6 shows a number of perspective and manage these key elements per se other than that the collection observes services transparent.features and points for consideration for the in an informal way. The key security measures ‘good practice’. This collection of measures isvarious growth phases, together with the type are creating a back-up, and dealing with security controlled: the organisation checks the on-goingof associated performance indicators. These incidents and the performance indicators are implementation of the measures at given times.aspects apply to data security and are explained of a technical nature. The performance on quality of the implementedin more detail below. measures is predictable. “The objectives must be appropriate to the organisation and do not need to be top level per se”12 Strategic system for risk management – Models and growth phases Strategic system for risk management – Models and growth phases 13
  8. 8. 3.2 Process model Use of this approach may encourage a dialogue between the different levels of the organisation. Management & organisation: ultimate Management & organisation: There is an external Processes: There is a transparent internal This means that senior managers responsible for risk management, together with the rest of the responsibility for data security rests with ICT or regulator. Governance is organised in the sector. governance process that is aimed at on-going,The Nolan process model is based on the interested parties, must jointly determine the desired and achievable objective and work towards the information security manager. The other Participating organisations require a license from demonstrable compliance with the legislationbalanced-thinking principle which means that it together. On the one hand this regulates sponsorship and on the other the involvement of responsibilities of staff departments and the the regulator. It is compulsory for companies and regulations from the external regulator.organisation of risk management should take various desired levels of the organisation. It is therefore a shared goal for strategically defining risk operational departments are also specified. within the sector to take part in the governance There is a joint governance process within theinto consideration the aspects that influence management jointly. Fig. 7 provides a graphic illustration of this approach. In this illustration it is There is a form of organisation in which there process. The organisational form provides for sector in which the compliance of all playersthe balance between supply and demand. assumed that the result of Stage 1 (objectives) is the business-oriented phase and the result of Stage is coordination of activities, e.g. a project or periodical accountability to this regulator as well is relevant, e.g. due to public confidence in theDepending on where the risk management 2 (baseline measurement) is the controlled phase. Based on these assumptions, the planned route to implementation group. as compulsory reporting of specific incidents / sector. Compliance management is integral toorganisation is and where it wishes to go, plateau the desired goal and the scope of Stage 3 (interim measurement) are specified. It is also assumed that disasters. Key officers are made known to the the relevant processes; control of aspects ofplans can be created following a natural growth the intended goal is achieved (Stage 4) and that any remaining risks are acceptable. ICT infrastructure: External links are controlled. regulator. Their personal integrity is examined. compliance is possible. The managers withinpath to achieve this objective. We present a For example, there are firewalls. Identification and Regulation is carried out based on ‘comply the company processes are accountable tosimple approach for this comprising four stages Fig. 7. Approach for transforming risk management organisations authentication for access to network, platforms and explain’ (demonstrable compliance). The senior management by means of In Controlwhich are briefly described below: and applications always takes place. Logical compliance structure provides for all officers or some other management declaration. access security and authorisation control are set to be held accountable for their control over Risk management is also aimed at risks in Stage 1: Objectives. The aim of this is to “Chain management” up based on line management control. internal control measures which must take into respect of the whole sector and the social determine the goal. The required and desired Destination account compliance in their design and effect. interest. Public confidence and politics are objectives (i.e.: technology-driven, controlled, Business-oriented Destination reached Humans culture: The human factor is not examples of risks that may be taken on board. service-oriented, client-oriented or business- forgotten. Regular campaigns take place to The responsibility of senior management Authorisation control is set up in accordance oriented) are analysed, delimited, defined and promote awareness among personnel when includes: reporting on management supervision with external legislation and regulations. recorded at this stage. To do this, interviews “Demonstrate compliance” handling threats to data and ICT (security of risk management, including accountability of Division of duties integrated in authorisation are conducted with senior managers, Chief Progress analysis Customer-oriented awareness). There are also rules of conduct, actions to natural persons, policy and control control; authorisation desk; maintenance of Information Officer (CIO) and Chief Security e.g. for handling emails, Internet use and other for risk management. Senior management is authorisations. Senior management endorses Officer (CSO) with the aid of questionnaires. services provided. responsible for and confirms externally that it and accepts responsibility for the effective g nin has approved the risk management process system of continuity management (capacity Stage 2: Baseline measurement. The aim lan “Risk analysis” Processes: The process of data security or and is informed of the effective implementation. management, business continuity and of this stage is to determine the starting Service-oriented ep Information Security Management System Responsibilities of senior management also contingency planning). There are periodic ‘walk- ut point, to plan the route to the goal and to (ISMS), is outlined and implemented. It is the include external reporting of on-going control of throughs’ and ‘emergency drills’, if necessary Ro document this. Here, the gap between the starting point for day-to-day activities. Audits the risks of outsourcing and third party interests. with the chain partners. If the sector is closely current situation and the objectives is defined “Baseline” take place and there is the option of certification. interconnected or has become concentrated in and laid down. To do this, interviews are held Control The basic level is referred to in communication ICT infrastructure: The senior management one place, sector-wide continuity exercises also with CIO, CSO, business representatives and Starting point with partners, clients and suppliers. Because this of the organisation reports, backed by audit take place. With regard to incident management technical personnel. Questionnaires based on “Incident-driven” is based on a public standard the stakeholders results and internal control declarations, on the too, senior management confirms that it has set the process model are used for these sessions. know what to expect overall. Additional assurance policy and guidelines as well as the scope of up effective incident management, and senior Technology-driven can be offered, as stated, through certification implementation with regard to authentication, management accepts responsibility for the Stage 3: Interim measurement. The aim or through Third Party Audit (TPA). Within the non-rejection, integrity, division of duties, audit operation of this process. of this is to analyse progress. Progress in organisation joint processes are defined for, trails and confidentiality of specific information. implementing the measures taken to achieve at least, incident management, authorisation The security architecture allows for a transparent There is a structure for external and internal the objectives is analysed and documented. control and continuity. The organisation is interpretation of the functional requirements auditing that allows for all relevant audit The relevant activities are based on the results For clarification, we briefly explain the aspects of the process model for risk management organisa- aware of general statutory requirements relating into a technical implementation, including the items to be periodically covered based on the of the baseline measurement with discussions tions in controlled and business-oriented phases respectively. A number of features from each phase to, for example, privacy, computer crime and associated control processes. Classification is external and internal framework of standards. held with CIO, CSO, business representatives are clarified giving a better picture of the balanced approach to the system of risk management. intellectual property rights. carried out in the ICT infrastructure. An audit of the chain is also organised. Chain and technical personnel. partners have their own audits conducted. The 3.2.1 Control 3.2.2 Business-oriented Humans culture: Personnel may also be asked external regulator has issued regulations. The Stage 4: Final measurement. The aim of this explicitly to declare that they comply with specific organisation demonstrates compliance with stage is to indicate whether the intended goal There is a security manual that contains at least the policy and a basic level for security. The organi- There are legislation and regulations specific codes of conduct. An example is that personnel these. There is awareness of other legislation and has been achieved and/or any remaining risks sation has introduced a basic level of security. The measures are based on external standards and to the sector which are aimed at protecting are not permitted to hold any stake in clients of regulations for the sector. Senior management are acceptable. Based on the results from the tailored to the organisation. The measures are not selected based on any analysis of what is required the stability of this sector as a whole, including the organisation. Adequate information is issued accepts and also confirms which specific preceding stages the interviews required for but on good practices in the market combined with an instinct of whether a measure is appropriate the interests of chain partners and those of to clients. The responsibilities of the organisation legislation and regulations are recognised. the final measurement are conducted with to the organisation or not. A sort of simple risk analysis at measure level. The organisation wants to consumers. There is a governance system set and the consumers are made explicit. senior managers, CIO and CSO, the outcome keep in step with similar companies in the market. The organisation has a clear view of the imple- up to ensure continued compliance, or the of which is recorded and distributed. mentation of this basic level because an audit is also conducted at this basic level. Any deviations are reporting of non-compliances. systematically corrected.14 Strategic system for risk management – Models and growth phases Strategic system for risk management – Models and growth phases 15
  9. 9. 4. Closing remarks For some time now, risk management has not focused just on identifying and analysing technical risks and is also no longer a specific subject for colleagues. Risk management has now become an important part of day-to-day operational running and enjoys the attention of senior management of organisations in different sectors. The high standards of legislation and regulation and of this dynamic market together with the continued growth of ICT have meant that the traditional approach to risk management is no longer adequate. A new method is required taking into account the business vision of the organisation, a systematic approach is encouraged and the performances achieved can be measured. This approach is really necessary in order to continue living up to the strategic image now gained by risk management. In this article for this purpose we have used standard models and growth phases of the ICT industry with the aim of bringing risk management organisations up to the required strategic level. To do this, we have combined the theoretical knowledge of the models and phases with our own practical experience. We thereby hope to make a contribution to positioning risk management in organisations so that its added strategic value becomes and remains more obvious.16 Strategic system for risk management – Models and growth phases Strategic system for risk management – Models and growth phases 17
  10. 10. BibliographyAmoroso, E.G., Fundamentals of computer security technology, Englewood Cliffs, New Jersey,Prentice-Hall International, Inc., 1994.Bladel, P.J.C. van, Bremen, R. van and Schoubroeck, R.H.I. van, Van aannemer naar architect:Informatievoorziening in perspectief, Deventer, Kluwer Bedrijfs- Informatie B.V., 1996.Coumou, C., Kroeze, H. and Zwan, K. van der, Trends in IT-beveiliging 2006, PlatformInformatiebeveiliging / Sdu Uitgevers bv, 2006.Daanen, H.T.M. and Koning, M.S., Uitbesteden vraagt om volwassen partijen, Compact 2000/3.Delen, G., World Class IT: Investeren in ICT: alléén met Benefits case, KPMG Consulting / UitgeverijTutein Nolthenius, 2001.Heemstra, F., and Snel, R., Veel misverstanden over risicomanagement, Automatisering Gids #14, 7April 2006. Overbeek, P.L., Towards secure open systems, 1993.Overbeek, P.L., Security matters: Mata Hari aan de Vliet, IT beheer, June 2006.Overbeek, P., Roos Lindgreen, E. and Spruit, M., Informatiebeveiliging onder controle, PearsonEducation Uitgeverij BV, 2000, ISBN 90-4300-2895.Overbeek, P., Roos Lindgreen, E. and Spruit, M, Informatiebeveiliging onder controle: Grondslagen,management, organisatie en techniek, 2nd edition, Pearson Education Benelux, 2005.18 Strategic system for risk management – Models and growth phases Strategic system for risk management – Models and growth phases 19
  11. 11. About AtosAtos is an international information technologyservices company with annual 2011 proforma revenue of EUR 8.5 billion and 74,000employees in 48 countries. Serving a globalclient base, it delivers hi-tech transactionalservices, consulting and technology services,systems integration and managed services.With its deep technology expertise and industryknowledge, it works with clients across thefollowing market sectors: Manufacturing, Retail,Services; Public, Health Transports; FinancialServices; Telecoms, Media Technology;Energy Utilities.Atos is focused on business technology thatpowers progress and helps organizations tocreate their firm of the future. It is the WorldwideInformation Technology Partner for the Olympicand Paralympic Games and is quoted on theParis Eurolist Market. Atos operates under thebrands Atos, Atos Consulting TechnologyServices, Atos Worldline and Atos Worldgrid.For more information, visit: atos.netFor more information:Please contact dialogue@atos.net Atos, the Atos logo, Atos Consulting, Atos Worldline, Atos Sphere, Atos Cloud, Atos Healthcare (in the UK) and Atos Worldgrid are registered trademarks of Atos SA.atos.net April 2012© 2012 Atos.