IT Risk Management Consulting
Auditing & IT-Risk Management
IT Risk Management Consulting in Brief
An IT risk management strategy may sound boring, but managing risks is basically what data security is all about. You can spend an endless amount of money buying hardware and software. However, you will only get the benefit from them if the shopping list meets the set goals. The goals must match both the business strategy and the IT strategy.
IT risk management is part of the company’s operational risk management, focusing in particular on IT, IT infrastructure and software development. IT risk management requires knowledge of technical architecture as well as understanding of different hardware environments and system recovery. By understanding and managing IT risks, we strive to ensure the continuity of the company’s IT operations – and hence, often the continuity of the company’s entire operations.
If your business operations produce value, an interruption of the operations means that this value will be interrupted. It is vital to know at what level the company’s contingency planning is and where it should be. All related sub-components must be in balance, or else you may be paying for seeming continuity that does not really help your business. It is important to have a contingency plan that is verified and that continuity training is carried out. If the worst happens, you must know how to recover.
Continuity (and continuity planning) is often divided into three distinct subareas:
- contingency planning,
- continuity planning and
- disaster recovery.
It is important to understand the differences between different terms when starting to make a comprehensive continuity plan. Contingency planning is preparing for large-scale crisis in the society, such as critical power grid or water supply problems. The purpose of contingency planning is to identify the factors affecting the business continuity of a company and to define the business priorities of a company when a disaster occurs. Disaster recovery planning includes operational instructions for maintenance, how to minimize damage during the disaster and how return to normal operation. All three sub-areas can be approached with scenario-based planning.
IT risk management helps to understand what things can go wrong. Continuity planning helps to ensure that there are clear operational models for disasters, that recovery from disasters is as smooth as possible, and that as few operational risks as possible materialize.
What Mint Security delivers
Our experts have extensive experience of different architectural solutions and implementation methods, as well as risk management measures and standards. For example, we produce documents that conduct IT risk management and continuity management as well as risk mapping to help our customers create a risk register. We approach continuity planning by conducting workshops with our customers so that the plan serves their business environment as efficiently as possible.
The scenarios for continuity planning can be built using threat modelling. The scenarios can utilize risks that have already been identified and, on the other hand, new risks can be identified in scenario planning.
Customer needs and challenges to be solved
IT risk management aims at identifying risks that are connected to the management of environments such as outsourcing or the company’s own server room, as well as to the chosen technologies such as cloud services, purchased systems or in-house systems development. The risks are identified, analyzed, classified and handled regularly, as in any other operational risk management. To get the best benefit out of the IT risk management and continuity planning functions, they should primarily be integrated into existing practices in the company. Thus, the work is often started by making a small survey of the current status. From there, we continue to independent document writing or workshop work with the customer.
The first tasks may include a survey of the company’s operational risk management needs, a gap analysis of existing processes, or an interview study of how well the different parts of the organization understand the concept of operational risk. We customize a road map and the contents of the delivery according to the customer’s needs, because risk management should primarily be integrated into the company’s existing practices in order to get the best benefit out of it.
More details about our methods and tools
A comprehensive IT risk management system can utilize the RISK-IT (ISACA) framework and lean on ISO27001 and ISO31000 standards. In addition to these, other standards can be utilized as needed. Standards and models can also be applied partly so that a suitable level is chosen for the company.
When a customer needs a risk management tool, we begin by presenting either an Excel template or a risk registry tool provided by Mint Security. If the customer so wishes, we also compare other tools.
The differences between Disaster Recovery Plans and Business Continuity Plans are not very clear in actual usage. Different companies sometimes use these terms differently and, at times, interchangeably.
Technically the Business Continuity Plan (BCP) refers to the means by which loss of business may be avoided and it ought to define the business requirements for continuity of operations. It defines the business requirements for a Disaster Recovery Plan (DRP).
Technically, the Disaster Recovery Plan (DRP) deals with the restoration of computer systems with all attendant software and connections to full functionality under a variety of damaging or interfering external conditions. In daily practice Business Continuity often refers to disaster recovery from a business point-of-view, or dealing with simple daily issues, such as a failed disk, failed server or database, possibly a bad communications line. It is often referred to as the measure of lost time in an application, possibly a mission critical application.