- The meerkats and risk - The Toyota logo - DA matrix

1. 14. it risk landscape

2. ProblemManagementFoundation
Objectives
• The meerkats and risk
• The Toyota logo
• DA matrix

3. ProblemManagementFoundation
Risk
• Meerkats have a sentinel or lookout role
performed by non-breeding members of the
community. They watch for possible predators
and other potential threats to the community.
This behaviour is also called the raised guarding
position. This position rotates amongst different
members of the group in no particular order or
structure. Sentinels are usually around when the
group is foraging away from the burrow. The
meerkat on the lookout will sound an alarm by
producing a distinct bark. This allows the
offspring to escape inside the burrows and
under protection of adults.Meerkats are aware
that life is full of risks, like cobra's and eagles
and thus plan to mitigate those risks. In the
workplace a person cannot be ignorant about
the risks associated with problems occurring.
Evaluate what you have done to mitigate those
risks!

4. Addressing the IT risk management landscape

5. ProblemManagementFoundation
Risk
• It is crucial to be able mitigate the risk associated with problems and
thus an established risk analysis methodology needs to be adopted
and utilized. How will we know if the problem is required to be
solved or not?
• How will we know which problems need to be worked on and
prioritized over others?
• The risk assessment methodology needs to cover the landscape –
refer the TOYOTA logo

6. ProblemManagementFoundation
The three ellipses
There are three ellipses visible in the company’s logo. Each
ellipse represents the heart of the customer, the heart of the
product and the heart of technological progress.

7. ProblemManagementFoundation
The IT landscape / DA matrix
A matrix of overlapping areas with the
areas being people, process and
technology.
Many practitioners concentrate on a
single block but then that only addresses
a small area of risk that will be mitigated.
Each block has a present and future:
• Threat
• Opportunity
These are underpinned by perceived:
• Strengths
• Weaknesses
These blocks can be viewed as there
own SWOT (see example SWOT
template)
Areas
Disciplines

8. ProblemManagementFoundation
Disciples of risk in the IT
landscape
To be able to highlight threats in each area of the IT landscape there
are three attributes that can be used on focus on:
• Confidentiality. Information and services is accessible only to those
authorized (unauthorized disclosure)(loss)
• Integrity. Safeguarding the accuracy and completeness of information
and services (unauthorized modification or misuse)(error)
• Availability. Authorized customers have access to the information and
services when require (destruction)(failure)
derived from CRAMM

9. ProblemManagementFoundation
CIA

10. ProblemManagementFoundation
An example SWOT template
S W
O T

11. ProblemManagementFoundation
Rapid risk assessment
• Rapid framework
• Provide a mechanism process threats using lights, camera and action
methodology
derived from CRAMM and ITIL
Landscape
/ metric Description Type Assessment* Value Vulnerablity Assessment* Value Threat Risk level Control Countermeasures Decision Mitigation Responsibility Relevant policy
PC
Describe the risk (will maintain
intellectual property) Confidentiality Confidential 3 Loss Moderate 2 6 Medium
Not
applicable Provide countermeasures
Control &
countermeasure Insufficent Not applicable
PI
Describe the risk (sufficiently
trained) Integrity Moderate 2 Errors Significant 3 6 Medium
Not
applicable Provide countermeasures On hold Partial Not applicable
PA
Describe the risk (right seats on
the bus) Availablity Negligible 0 Failures High 4 0 Low
Not
applicable Provide countermeasures
Control &
countermeasure Majority Not applicable
OC
Describe the risk (engineered not
to leak) Confidentiality Secure 4 Loss Moderate 2 8 Medium
Not
applicable Provide countermeasures
Control &
countermeasure Insufficent Not applicable
OI
Describe the risk (without
ambiquity) Integrity Catastrophic 4 Errors Significant 3 12 High
Not
applicable Provide countermeasures
Control &
countermeasure Partial Not applicable
OA Describe the risk (repeatable) Availablity Mandatory 4 Failures High 4 16 High
Not
applicable Provide countermeasures
Control &
countermeasure Majority Not applicable
TC
Describe the risk (system
information protection
requirements) Confidentiality Secure 4 Loss Moderate 2 8 Medium Substitute Provide countermeasures
Control &
countermeasure Insufficent Not applicable
TI
Describe the risk (system
validation requiremenst) Integrity Catastrophic 4 Errors Significant 3 12 High
Not
applicable Provide countermeasures
Control &
countermeasure Partial Not applicable
TA
Describe the risk (system uptime
requirements) Availablity Negligible 0 Failures High 4 0 Low
Not
applicable Provide countermeasures
Control &
countermeasure Majority Not applicable
Evaluation
People
Process
Technology
Mitigation
ActionLights Camera
Impact (consequence
of event)
Vulnerablity
(liklihood of
occurrence) Analysis

12. ProblemManagementFoundation
Process (lights, camera, action)

13. ProblemManagementFoundation
Process (lights, camera, action)
• Lights. List all of the dangers or possible situations associated with
the event activity that may expose services or information to threats.
List these in the template. Use experts or experienced people to
advise you on your risk assessment.
• Camera. Rate or assess what the vulnerability (likelihood) is of
services and information being exposed to threats and what the
impact (consequences) could be as a result of the threat occurring.
• Action. Identify what practical measures could be put in place to
eliminate or reduce the likelihood of the threat occurring. This is
where changes are made to the event to reduce the risks. Use the
hierarchy of control system to minimise or eliminate threats by
putting in place potential to manage the threats once you have
assessed their risk level.

14. ProblemManagementFoundation
Risk – Lights

15. ProblemManagementFoundation
Risk – Camera

16. ProblemManagementFoundation
Risk – Camera

17. ProblemManagementFoundation
Risk – Camera

18. ProblemManagementFoundation
Impact (consequence of event)
• Catastrophic
• Multiple deaths, escalated and debilitating costs, adverse media coverage
• Major
• Serious health impacts for people or permanent disability, severe costs incurred,
widespread media coverage
• Moderate
• Rehabilitation required for injured persons, costs incurred, media and community
concerned
• Low
• Injuries resulting in lost time and claims, some costs incurred, minor isolated concerns
raised by stakeholders, customers
• Negligible
• Persons requiring first aid, insignificant costs incurred, minimum impact to reputation

19. ProblemManagementFoundation
Vulnerability (likelihood of occurrence)
• High
• It is expected to occur in most circumstances, availability required (excluding
scheduled maintenance), there is a strong likelihood or danger of reoccurrence
• Significant
• Similar dangers have been recorded on a regular basis, availability recovered in
minutes, considered that it is likely that the event could occur
• Moderate
• Availability recovered in hours, incidents or dangers have occurred infrequently in
the past
• Low
• Very few known incidents of occurrence, availability recovered in days, has not
occurred yet, but it could occur sometime
• Negligible
• No known or recorded incidents of occurrence, remote chance, may only occur in
exceptional circumstance

20. ProblemManagementFoundation
Risk – Action

21. ProblemManagementFoundation
Controls
• Eliminate (the threat)
• Remove or stop the threat if possible, remove the cause or source of the threat, by
eliminating the machine, task or work process. If this is not practical, then substitute.
• Substitute (the process)
• Use a less problematic process. If this is not practical, then engineer.
• Engineer (change the technology)
• Introduce different technology. Improve maintenance procedures. If this is not practical, then:
• Isolate
• Separate or isolate the threat from people by relocation or by changing the operation. If this
is not practical, then administer
• Administer
• Design and communicate written or verbal procedures that prevent the threat from occurring.
If this is not practical, then protect
• Protect
• Provide protect measures appropriate to the risk. Provide training information and supervision
to ensure that the measures will be effective and efficient.

22. ProblemManagementFoundation
Decision
• Control & countermeasures
• Determine what controls are currently in place and which are
appropriate to use in relation to mitigation of issues which are
likely to occur.
• Risk transference
• Transferring the cost of the risk occurring to another party such as an
insurer
• Risk acceptance
• Accepting a risk without implementing any mitigating measures
• Risk avoidance
• Disabling or stopping the activity which contributes most to the risk
potentially occurring.

23. ProblemManagementFoundation
Risk (special case) – Information
Security

24. ProblemManagementFoundation
Review
IT Risk involves all aspects of human behaviour as
well as systematic structures and technology.