Preview of Crisis Management Foundation from ds.co.za How to assess risk in a crisis with special emphasis on Information technology.

1. CrisisManagementFoundation
Crisis Management
Foundation
ds.co.za
dealing with incidents that have a severe negative
business consequence

2. 14. it risk landscape

3. CrisisManagementFoundation
Objectives
• The meerkats and risk
• The Toyota logo
• DA matrix

4. CrisisManagementFoundation
Risk
Meerkats have a sentinel or lookout role performed by
non-breeding members of the community. They watch
for possible predators and other potential threats to
the community. This behaviour is also called the raised
guarding position. This position rotates amongst
different members of the group in no particular order
or structure. Sentinels are usually around when the
group is foraging away from the burrow. The meerkat
on the lookout will sound an alarm by producing a
distinct bark. This allows the offspring to escape inside
the burrows and under protection of adults.Meerkats
are aware that life is full of risks, like cobra's and eagles
and thus plan to mitigate those risks. In the workplace
a person cannot be ignorant about the risks associated
with problems occurring. Evaluate what you have done
to mitigate those risks!

5. Addressing the IT risk management landscape
www.deesmith.co.za

6. CrisisManagementFoundation
Risk
• It is crucial to be able mitigate the risk associated with problems
and thus an established risk analysis methodology needs to be
adopted and utilized. How will we know if the problem is required
to be solved or not?
• How will we know which problems need to be worked on and
prioritized over others?
• The risk assessment methodology needs to cover the landscape –
refer the TOYOTA logo

7. CrisisManagementFoundation
The three ellipses
There are three ellipses visible in the company’s logo. Each ellipse
represents the heart of the customer, the heart of the product and
the heart of technological progress.

8. CrisisManagementFoundation
The IT landscape / DA matrix
A matrix of overlapping areas with the
areas being people, process and
technology.
Many practitioners concentrate on a
single block but then that only addresses
a small area of risk that will be mitigated.
Each block has a present and future:
• Threat
• Opportunity
These are underpinned by perceived:
• Strengths
• Weaknesses
These blocks can be viewed as there
own SWOT (see example SWOT
template)
Areas
Disciplines

9. CrisisManagementFoundation
Disciples of risk in the IT landscape
To be able to highlight threats in each area of the IT landscape
there are three attributes that can be used on focus on:
• Confidentiality. Information and services is accessible only to
those authorized (unauthorized disclosure)(loss)
• Integrity. Safeguarding the accuracy and completeness of
information and services (unauthorized modification or
misuse)(error)
• Availability. Authorized customers have access to the information
and services when require (destruction)(failure)
derived from CRAMM

10. CrisisManagementFoundation
CIA

11. CrisisManagementFoundation
An example SWOT template
S W
O T

12. CrisisManagementFoundation
Rapid risk assessment
• Rapid framework
• Provide a mechanism process threats using lights, camera and action
methodology
derived from CRAMM and ITIL
Landscape
/ metric Description Type Assessment* Value Vulnerablity Assessment* Value Threat Risk level Control Countermeasures Decision Mitigation Responsibility Relevant policy
PC
Describe the risk (will maintain
intellectual property) Confidentiality Confidential 3 Loss Moderate 2 6 Medium
Not
applicable Provide countermeasures
Control &
countermeasure Insufficent Not applicable
PI
Describe the risk (sufficiently
trained) Integrity Moderate 2 Errors Significant 3 6 Medium
Not
applicable Provide countermeasures On hold Partial Not applicable
PA
Describe the risk (right seats on
the bus) Availablity Negligible 0 Failures High 4 0 Low
Not
applicable Provide countermeasures
Control &
countermeasure Majority Not applicable
OC
Describe the risk (engineered not
to leak) Confidentiality Secure 4 Loss Moderate 2 8 Medium
Not
applicable Provide countermeasures
Control &
countermeasure Insufficent Not applicable
OI
Describe the risk (without
ambiquity) Integrity Catastrophic 4 Errors Significant 3 12 High
Not
applicable Provide countermeasures
Control &
countermeasure Partial Not applicable
OA Describe the risk (repeatable) Availablity Mandatory 4 Failures High 4 16 High
Not
applicable Provide countermeasures
Control &
countermeasure Majority Not applicable
TC
Describe the risk (system
information protection
requirements) Confidentiality Secure 4 Loss Moderate 2 8 Medium Substitute Provide countermeasures
Control &
countermeasure Insufficent Not applicable
TI
Describe the risk (system
validation requiremenst) Integrity Catastrophic 4 Errors Significant 3 12 High
Not
applicable Provide countermeasures
Control &
countermeasure Partial Not applicable
TA
Describe the risk (system uptime
requirements) Availablity Negligible 0 Failures High 4 0 Low
Not
applicable Provide countermeasures
Control &
countermeasure Majority Not applicable
Evaluation
People
Process
Technology
Mitigation
ActionLights Camera
Impact (consequence
of event)
Vulnerablity
(liklihood of
occurrence) Analysis

13. CrisisManagementFoundation
Process (lights, camera, action)

14. CrisisManagementFoundation
Process (lights, camera, action)
• Lights. List all of the dangers or possible situations associated
with the event activity that may expose services or information to
threats. List these in the template. Use experts or experienced
people to advise you on your risk assessment.
• Camera. Rate or assess what the vulnerability (likelihood) is of
services and information being exposed to threats and what the
impact (consequences) could be as a result of the threat
occurring.
• Action. Identify what practical measures could be put in place to
eliminate or reduce the likelihood of the threat occurring. This is
where changes are made to the event to reduce the risks. Use the
hierarchy of control system to minimise or eliminate threats by
putting in place potential to manage the threats once you have
assessed their risk level.

15. CrisisManagementFoundation
Risk – Lights

16. CrisisManagementFoundation
Risk – Camera

17. CrisisManagementFoundation
Risk – Camera

18. CrisisManagementFoundation
Risk – Camera

19. CrisisManagementFoundation
Impact (consequence of event)
• Catastrophic
• Multiple deaths, escalated and debilitating costs, adverse media coverage
• Major
• Serious health impacts for people or permanent disability, severe costs
incurred, widespread media coverage
• Moderate
• Rehabilitation required for injured persons, costs incurred, media and
community concerned
• Low
• Injuries resulting in lost time and claims, some costs incurred, minor isolated
concerns raised by stakeholders, customers
• Negligible
• Persons requiring first aid, insignificant costs incurred, minimum impact to
reputation

20. CrisisManagementFoundation
Vulnerability (likelihood of occurrence)
• High
• It is expected to occur in most circumstances, availability required (excluding
scheduled maintenance), there is a strong likelihood or danger of reoccurrence
• Significant
• Similar dangers have been recorded on a regular basis, availability recovered in
minutes, considered that it is likely that the event could occur
• Moderate
• Availability recovered in hours, incidents or dangers have occurred infrequently
in the past
• Low
• Very few known incidents of occurrence, availability recovered in days, has not
occurred yet, but it could occur sometime
• Negligible
• No known or recorded incidents of occurrence, remote chance, may only
occur in exceptional circumstance

21. CrisisManagementFoundation
Risk – Action

22. CrisisManagementFoundation
Controls
• Eliminate (the threat)
• Remove or stop the threat if possible, remove the cause or source of the threat, by
eliminating the machine, task or work process. If this is not practical, then substitute.
• Substitute (the process)
• Use a less problematic process. If this is not practical, then engineer.
• Engineer (change the technology)
• Introduce different technology. Improve maintenance procedures. If this is not
practical, then:
• Isolate
• Separate or isolate the threat from people by relocation or by changing the operation.
If this is not practical, then administer
• Administer
• Design and communicate written or verbal procedures that prevent the threat from
occurring. If this is not practical, then protect
• Protect
• Provide protect measures appropriate to the risk. Provide training information and
supervision to ensure that the measures will be effective and efficient.

23. CrisisManagementFoundation
Decision
• Control & countermeasures
• Determine what controls are currently in place and which are appropriate to use in
relation to mitigation of issues which are likely to occur.
• Risk transference
• Transferring the cost of the risk occurring to another party such as an
insurer
• Risk acceptance
• Accepting a risk without implementing any mitigating measures
• Risk avoidance
• Disabling or stopping the activity which contributes most to the risk
potentially occurring.

24. CrisisManagementFoundation
Risk (special case) – Information
Security

25. CrisisManagementFoundation
Review
• IT Risk involves all aspects of human behaviour as well as
systematic structures and technology.