Tuesday, July 19, 2005
Know your risks
Speed is vital to assess and manage swiftly changing risks and meet regulatory demands. A matrix-based approach can offer a faster route than traditional, bottom-up methods
IT risk management is no longer an optional extra for business. Unforgiving new regulations, including Sarbanes-Oxley and Basel 2, demand that responsible corporate governance be built on effective controls - and risk assessment is fundamental to controls assurance.
This raises a dilemma for chief information officers. Until now almost all IT risk management methodologies, such as Cram, Sprint and Octave, have been highly structured and even the light versions are extremely complex and time consuming.
Rather than providing prompt answers to critical business security questions, they are geared towards ongoing assessment and management of broad-spectrum business risks.
However, there is an alternative approach that organisations are beginning to adopt. In today's tough operational environment, CIOs must identify their principal security risks quickly and unequivocally if they are to prioritise countermeasures and direct them where they are needed most. Formal regulatory compliance is one driver, but so too is the need to protect against potentially crippling value destruction by loss of reputation, damage to the brand or legal implications of failing to meet standards.
posted by Brian Moran @ 10:54 AM