IT Risk Management and IT Infrastructure Management
-
Upload
yahya-nursalim -
Category
Documents
-
view
226 -
download
2
Transcript of IT Risk Management and IT Infrastructure Management
-
7/30/2019 IT Risk Management and IT Infrastructure Management
1/19
IT Risk Management and IT Infrastructure
Management
College: NMIMS, Mumbai
By:
Subhada ([email protected], 9769351414)
Nishant Kumar ([email protected], 9987542101)
Page | 1
-
7/30/2019 IT Risk Management and IT Infrastructure Management
2/19
INDEX
1. INTRODUCTION ..................................................................................................................3
2. IT INFRASTRUCTURE MANAGEMNT ............................................................................ 4
2.1 APPROACHFORIT INFRASTRUCTURE MANAGEMENT.................................................................. 5
2.1.1 Simplify the IT infrastructure..............................................................................5
2.1.2 Increase operational efficiency..........................................................................7
2.2.2 Retain and grow.................................................................................................7
3. IT RISK MANAGEMENT .................................................................................................... 8
3.1 INTEGRATIONOFRISKMANAGEMENTINTO SDLC ...................................................................... 8
3.2 RISK
ASSESSMENT
.................................................................................................................93.3 RISKCATEGORIES...............................................................................................................11
3.4 MANAGING RISK................................................................................................................ 17
4. CONCLUSION ....................................................................................................................18
5. REFERENCES ....................................................................................................................18
SUMMARY
We are more dependent than ever on IT to run our businesses, yet IT failures are
commonplace. At the same time, our IT environments are becoming more complex and hence
managing IT Infrastructure together with reducing exposure to all types of IT risk is
important.
Page | 2
-
7/30/2019 IT Risk Management and IT Infrastructure Management
3/19
-
7/30/2019 IT Risk Management and IT Infrastructure Management
4/19
operational and economic costs of protective measures and achieve gains in mission
capability by protecting the IT infrastructure and data that support their organizations
missions.
Minimizing negative impact on an organization and need for sound basis in decision making
are the fundamental reasons organizations implement a risk management process for their IT
systems. Effective risk management must be totally integrated into the SDLC (software
development life cycle). The fact is, if we dont do proper infrastructure management and
dont get IT risk under control, we put the entire business at risk. Thus optimised usage of
available infrastructure resources together with proper risk management is the call of the day
to ensure reduced cost in the present economic condition.
2. IT INFRASTRUCTURE MANAGEMNT
As the business grows, the number and complexity of the data processing systems and the
workload on the server room increases, placing greater demands on the IT infrastructure.
Increased demand means increased power consumption, and with rising energy costs, mid-
sized businesses are faced with the imperative to do more with their IT infrastructure for less.
The solution to the problem is to efficiently manage and optimize the available IT
infrastructure. By optimizing the IT infrastructure the business can be the recipient of many
benefits, including:
Energy cost savings
Reduced energy consumption
Improved efficiency
Maximized power consumption
Managed capacity
Shared resources
Reduced complexity
Lower unit cost
Page | 4
-
7/30/2019 IT Risk Management and IT Infrastructure Management
5/19
Easy administration
Fast response rate
2.1 Approach for IT Infrastructure Management
IT infrastructure management is the process of modifying the IT infrastructure so that it is
more consolidated, flexible and automated. An optimized IT infrastructure facilitates the
integration of new business applications. It fuels growth by managing costs with enhanced IT
asset utilization, reduces operating expenses and makes it easier to keep the entire IT
infrastructure in line with the growth objectives of the company. All businesses, regardless of
size, can enjoy the benefits gained from IT optimization. An effective approach to
infrastructure management involves three stages:
1. Simplify IT infrastructure and manages assets for a positive financial impact on the
corporate strategy.
2. Increases operational efficiency to enhance flexibility and maximize power consumption.
3. Retains and grows IT infrastructure to align with company business goals, without costly
renovations.
Simplification consolidates and virtualizes the IT environment, including servers, storage and
network assets, into logical asset pools to improve IT resource utilization and lower
infrastructure complexity. This provides you with a more complete view of data, which can
minimize costs. Increasing operational efficiency is essentially automating capacity and
workload management for increased flexibility. Ultimately, you achieve policy-based
computing, which results in better IT and business alignment. Retain and grow is a strategy
of realigning the IT budget by using savings in maintenance and operational costs to invest in
growth initiatives. Below the three steps are described in detail:
2.1.1 Simplify the IT infrastructure
Simplification includes consolidating and virtualizing the IT infrastructure to:
Page | 5
-
7/30/2019 IT Risk Management and IT Infrastructure Management
6/19
1. Reduce IT operating costs and complexity.
2. Maximize the performance of resources.
3. Manage the IT environment more easily and effectively.
4. Dispose of and recycle unused IT assets safely.
Some typical cost reductions associated with IT asset simplification include:
1. Server consolidation (4 to 1)
2. Storage consolidation (25%)
3. Support automation (30%)
Simplification of IT assets provides a consolidated view of data, regardless of where it is
housed, freeing up the valuable resources so that they can focus on exploring innovative ways
to gain competitive advantage. One can also reuse the assets more easily, which reduces the
cost of change in the IT environment. Simplification provides an architecture and platform
that centrally supports and manages applications that are currently maintained at different
sites. It also uses automated provisioning, which lowers costs by removing labor-intensive
tasks. This can dramatically improve the decision-making, increase productivity, improve
relationships with customers, partners and suppliers and create more uniform customer
service.
Virtualization is a significant component of asset simplification. When you establish multiple
virtual servers per physical server, you are likely to enjoy noticeable cost savings. With a
broad set of virtualization capabilities, including cross-platform virtualization, automation
and systems management solutions, mid-sized businesses like thes can simply and
dynamically access and manage resources for better asset utilization and reduced operating
costs. You can incorporate an intranet and extranet portal to share information to further
facilitate productivity improvements and cost savings. When the physical server utilization
rates increase, the virtual servers are provisioned quickly and automatically. Such automation
lowers the provisioning costs while letting the IT environment respond quickly to changing
business needs.
With automatic workload management, the IT infrastructure utilization rates can be highwithout the burden of costly labor-intensive manual system configurations. Utilizing multiple
Page | 6
-
7/30/2019 IT Risk Management and IT Infrastructure Management
7/19
virtual servers per physical server will also dramatically reduce licensing costs in many
configurations and facilitate administration.
2.1.2 Increase operational efficiency
When the technical resources are consumed with problem determination and resolution, it can
adversely affect efficiency and productivity. This is because identifying the root cause of
problems and rectifying them can be extremely time-consuming and very costly. The same
National Institute of Standards and Technology study showed that 80% of development funds
are spent identifying and fixing problems. Why does problem determination and resolution
claim so much time and money? Because many companies rely on manual processes to
identify and solve problemsmanual processes that can impair a companys
competitiveness. By reducing the time that the staff spends on problem determination and
resolution and by increasing the productivity of all technical resources, the IT infrastructure
and staff can promote rather than inhibit the on-demand business.
The benefits of increased operational efficiency include:
1. Better server and storage use
2. Less server redundancy
3. The cost savings of automated provisioning
4. IT assets that are aligned with business requirements through orchestration
2.2.2 Retain and grow
IT budgets have two components: spending on new initiatives and spending to operate and
maintain IT organizations, systems and equipment. As stated earlier, companies typically
spend approximately 80% of their budgets on maintenance and operations, leaving very little
for new projects, such as integrating business processes with key partners, suppliers and
clients. IT managers are seeking help to align IT resources and budget to focus on supporting
the strategic objectives of the company.
Page | 7
-
7/30/2019 IT Risk Management and IT Infrastructure Management
8/19
As you reduce the complexity and improve how the IT assets are used, the maintenance and
licensing cost savings can be reallocated from routine operating expenses to strategic
investments, such as innovative technologies, services, techniques and strategic opportunities.
By integrating existing systems into a flexible IT infrastructure, you are giving IT the tools to
respond to changing business priorities rapidly. By integrating the data, you can send a
unified view of information to the right people at the right time, helping them to make
informed business decisions based on the best and most comprehensive data.
Another IT asset that you may wish to optimize is the Web site. It is not only a
communication and support tool for customers, but it is also a communication tool for
investors and suppliers, so it must be fast, reliable and fully functioning 24x7.
3. IT RISK MANAGEMENT
IT Risk management is the identification, assessment, and prioritization of risks followed by
coordinated and economical application of resources to minimize, monitor, and control the
probability and/or impact of unfortunate events. Because IT risk is limited to security, it
enables organizations to identify weak or overlooked risk domains. The risk can be divided
into four categories business disruption, relational, technology, and IT governance. Thus,
in this context an IT risk is the potential for exposure to loss for the organization from a
failure in any aspect of the IT environment, and falls within risk domains of business
disruption, relational, technology, and governance.
3.1 Integration of risk management into SDLC
Minimizing negative impact on an organization and need for sound basis in decision making
are the fundamental reasons organizations implement a risk management process for their IT
systems. Effective risk management must be totally integrated into the SDLC. An IT
systems SDLC has five phases: initiation, development or acquisition, implementation,
operation or maintenance, and disposal. In some cases, an IT system may occupy several of
these phases at the same time. However, the risk management methodology is the same
regardless of the SDLC phase for which the assessment is being conducted. Risk
Page | 8
http://en.wikipedia.org/wiki/Riskshttp://en.wikipedia.org/wiki/Risks -
7/30/2019 IT Risk Management and IT Infrastructure Management
9/19
management is an iterative process that can be performed during each major phase of the
SDLC as shown below:
3.2 Risk Assessment
Risk assessment is the first process in the risk management methodology. Organizations use
risk assessment to determine the extent of the potential threat and the risk associated with an
IT system throughout its SDLC. The output of this process helps to identify appropriate
controls for reducing or eliminating risk during the risk mitigation process. The risk
assessment methodology encompasses nine primary steps:
Page | 9
-
7/30/2019 IT Risk Management and IT Infrastructure Management
10/19
Page | 10
-
7/30/2019 IT Risk Management and IT Infrastructure Management
11/19
3.3 Risk Categories
Generally speaking, organizations today must address four main types of IT risk:
3.1.1 Business Disruption Risks:
Business disruption risks include malicious attacks and online privacy issues, as well as
external events that could hinder a firms continued operations. It can be of four types:
Business continuity risk : Poor or inadequate planning on ITs part remains a major
business continuity risk. On the other hand, one CISO observed that the business is at
risk of solely associating business continuity planning (BCP) with IT recovery at the
expense of ignoring logistical and resource issues outside of ITs direct control (e.g.,
accessing Rolodexes kept in a locked desk that is no longer accessible). Insufficient
resources driven by a short business attention span that is only galvanized by disaster
is another business continuity risk and hinders BCP from being taken seriously.
Finally, inadequate BCP on the part of a supplier, vendor, or business partner can be
the Achilles heel of even the most thorough BCP effort because of increasingly
interdependent relationships with third parties.
Page | 11
-
7/30/2019 IT Risk Management and IT Infrastructure Management
12/19
IT security risk : IT security risks are growing as the reasons and means for disrupting
business increase. However resource cutbacks have hamstrung some security
organizations from dealing with new security threats or reacting quickly to attacks.
Because IT security risk is rarely on the mind of the business unless there are
significant breaches in the news, it is hard for the business to understand residual
security risk and allocate resources accordingly.
Online risk: Limiting customer input or access to company Web sites is the easiest
way to deal with some aspects of online risk, especially when the company Web site
is more informational than interactive. However, firms that conduct financial
transactions or process customer credit card data online not only must develop
standards and controls to protect their Web sites from hackers and the like, they also
must educate their customers about best practices for protecting their privacy and
personal information when surfing their Web site. And the risks in the online world go
beyond security-related risks to encompass branding, reputation, and even broader
compliance risks such as American Disabilities Act (ADA) compliance.
Information risk : Its hard to overestimate the impact of a loss or breach of
information. Not only is an incident embarrassing, there are regulatory and legal
consequences as well. To prevent unauthorized access or disclosure, firms need to
develop controls that address the accuracy, mobility, modification, and access of
information. The challenge is educating each level of the business on the sensitivity of
the info it possesses so that it can then recognize what should be protected. As part of
educating the business, one state agency hosts a computer security day and a
computer awareness competition.
3.2 Relational Risks:
Relational risks emerge from dependency on third parties and the business perception of IT
as shaped by the frequency of service disruption and the effectiveness of ITs
communications.
Page | 12
-
7/30/2019 IT Risk Management and IT Infrastructure Management
13/19
Vendor management risk : Vendor management risks include vendor selection,
requirements, influence, and stability. Poor vendor selection can lead to misused
resources, strained staff, and service disruptions or delays. If IT omits vendor
requirements from the service-level agreement (SLA) or the vendor does not
understand them, the organization is at risk especially if the vendor has sloppy
risk management practices that could expose the firms information or IP to loss
or improper access. Firms also worry that they will not have the clout to keep the
vendors attention from driting to other product areas. If the vendor goes out of
business, how will that affect your organization and the support expected?
For example, VoIP, there are more than 200 vendors that offer services. Within
the next 10 years, there will be five. I need to pick the right one today and hope
they are still around because I know that my decisions will be available three
years down the road. (Director of IT security, Governmental agency).
Third-party relationship risk : Distributed business tears down defined organization
boundaries. Organizations have been reengineered, outsourced, and established a
myriad of business relationships to partners and suppliers that significantly add to
the risk complexity within IT. Similar to the risks generated by vendor
relationships, companies face the risk of not defining requirements, the risk of the
other party not understanding what is expected of them, and the risk of not
monitoring ater the SLA has been signed to ensure the agreement is being
followed. Businesses are also at risk if they have not built in security controls for
third-party human resources into their contracts and SLAs to protect them from
liability.
IT reputation/customer satisfaction risk : Major service interruptions and incidents
erode ITs reputation with the business and complicate ITs efforts to position
itself as a value generator. Likewise, business perception of IT suffers when it
does not deliver cost-efficient, timely solutions that meet new business needs and
fulfill existing SLA commitments. When IT tries to assess business perception, it
often relies exclusively on customer satisfaction surveys that never really address
the main concerns of the business. In one energy organization, even people in IT
Page | 13
-
7/30/2019 IT Risk Management and IT Infrastructure Management
14/19
are skeptical because customer satisfaction results are in the 1990s but dialogue
with the business paints a different picture.
3.3 Technology Risks:
Technology risks include ITs ability to keep pace with new technology, manage and
develop projects that address business needs, implement business changes in a responsible
manner, and maintain a standardized but flexible IT infrastructure.
IT agility risk : IT agility is sometimes constrained by the business openness to
innovation. On the other hand, more organizations have the opposite problem
where the business is willing and able to innovate but the IT culture resists
innovation. If IT drags its feet implementing change, it has to play catch up to the
business and becomes a source of frustration instead of a partner in innovation.
IT architecture risk : Architecture risk involves properly defining the architecture
and developing standards that provide structure but do not constrain flexibility.
The risk here is that firms will not upgrade old technologies quickly enough to
meet the technical needs associated with business change. A corresponding risk is
that the business will not want to follow the established architecture, preferring
short-term tactical needs over long-term architecture strategy.
Change execution risk: The major risk is that change management processes for
infrastructure or apps are either absent or not followed. One information security
specialist pointed out that there is a direct correlation between the enforcement of
change management processes and the availability of systems and integrity of the
environment. Without vigilance, business customers may try to beat the system
to avoid following established processes. In addition, some organizations engage
in so many drastic changes that they have unnecessary, expensive service outages
while others are so comfortable with the familiarity of existing infrastructure they
miss possible improvements.
Page | 14
-
7/30/2019 IT Risk Management and IT Infrastructure Management
15/19
Project development risk : he business may take a hands-offapproach to project
management because they do not understand the importance of being involved
throughout the process or are content because project planning ran smoothly. If
business priorities shit and they do not communicate this to IT, project developers
may design an expensive, irrelevant project that no longer meets business needs.
3.4 IT Governance Risks:
IT governance risk is nearly universally recognized as an important risk for businesses
regardless of industry. Without a strong governance structure in place, firms will be unable to
mitigate the IT risks associated with other domains.
IT strategic risk : IT strategic risk results from a lack of alignment with the
business, inconsistent compliance with governance standards, or a loss of control.
In some cases, the business pays lip service to the ideal of IT governance while
not providing adequate resources or completely disregarding IT governance
standards when there is an attractive business opportunity. Differences in
governance between the firm and associated third parties also put the firm at risk
of losing control of its information, services, and critical resources.
IT resources risk : Major risk areas include finding the right people, right skills,
and right funding. Due to the specialized skills required, IT security professionals
and quality control specialists are in high demand and low supply and therefore
paid accordingly. Firms risk losing their best people to competitive salary offers.
For firms that outsource, there are risks associated with finding the right vendor to
match the skills needed by the organization as well as determining which skills
should be outsourced. In addition, IT must identify internal employees with
leadership skills and technical know how to guide the vendors appropriately. From
a funding perspective, IT organizations face a triple challenge: getting adequate
funds from the business, allocating resources quickly enough to keep pace with
evolving business requirements, and managing the resources they have been given
effectively.
Page | 15
-
7/30/2019 IT Risk Management and IT Infrastructure Management
16/19
Compliance/legal risk : The real challenge for IT is to not only be aware of
regulations and regulatory changes like SOX and HIPAA, but to modify processes
in a timely manner to keep pace with them. Therefore, IT must manage the risks
of compliance as a process, not as individual projects. The dynamic nature of
business and IT requires that organizations stay on top of requirements to keep
abreast of the pace of business and technology change. Firms that operate in
multiple jurisdictions also face the complexity and resource drain of conflicting
regulations and duplicative audits. Even domestically there is regulatory overlap
that unwittingly contributes to inefficiency and strains IT resources. Some
business opportunities may be passed over due to the expensive or onerous
compliance requirements they trigger.
All these four types of IT risk are increasingly interrelated and important to just about
everyone in the organization. For example, IT Directors and Managers are on the front lines
when IT failures occur. They see how patches must be rolled out in a compliant manner to
protect systems from security threats, or how data protection practices designed to improve
availability might impact network performance and create security vulnerabilities if data isnt
encrypted. Its all connected. Also as IT failures become synonymous with business failures,
IT risk is becoming a topic within the boardroom and the executive suite. In fact, companies
such as FedEx, Proctor and Gamble, and Home Depot have even established special board
committees whose sole purpose is management of IT risk.
Page | 16
-
7/30/2019 IT Risk Management and IT Infrastructure Management
17/19
3.4 Managing Risk
To address all the aspects of IT risk, the IT department needs to craft and implement a
holistic IT risk management strategy that incorporates assessment, accountability,
measurement, and management. Afive-step approach to managing IT risk is suggested. The
cornerstone of the approach is this belief: When an organization successfully manages IT
risk, it is better able to use IT to compete and innovate with confidence.
1. The first step is to develop an awareness and understanding of specific IT risks to
your business security, availability, performance, and compliance.
2. The second step is to quantify risks through an impact assessment and develop a
business case for IT investment. Impact can take many forms, including customer
losses, business losses, damage to brand equity, legal costs, and regulatory fines.
3. Next, companies should understand the range of tools they can apply to managing IT
risk and design a solution. Technology is clearly an important component of the
solution, but just as important are tools that address the human elements of an IT
system, including training and operational processes.
4. The fourth step is to align IT risks and costs with the business to find the right level ofinvestment and implement the solution. Obviously we cant afford to apply the
highest levels of protection to every IT risk we identify.
5. The last step is to develop a systematic ongoing capacity to manage IT risk. Its not a
project but an ongoing activity that must be built into the culture of the organization.
Page | 17
-
7/30/2019 IT Risk Management and IT Infrastructure Management
18/19
Fig: Managing Risk
4. CONCLUSION
In this era of stiff competition, to survive one has to reduce its cost of running the business as
compared to its competitors. An important task in hand is thus to manage its available
infrastructure well together with minimizing its risk. This paper highlights the ways to
optimize use of available infrastructure together with means to identify risk and to mitigate
the same.
5. REFERENCES
1. www.ibm.com
2. www.symantec.com
3. www.unisys.com
4. www.forrester.com
5. www.thinkstrategies.com
6. www.wikipedia.org
Page | 18
-
7/30/2019 IT Risk Management and IT Infrastructure Management
19/19
7. www.best-management-practice.com
8. www.zdnet.com
Page | 19