Risk Stratification and Acceptance in Enterprise Risk Management

Randall Frietzsche, Enterprise Chief Information Security Officer (CISO), Denver Health
Randall Frietzsche, Enterprise Chief Information Security Officer (CISO), Denver Health

Randall Frietzsche, Enterprise Chief Information Security Officer (CISO), Denver Health

Please provide our readers with a detailed understanding of today’s IT risk management landscape and the alpine hindrances that are continually hurdling enterprises.

My focus on the whole concept of IT risk management centers around two major aspects. The first one is, of course, the internal risk management of the IT infrastructure, applications, servers, endpoints, network layers and storage. Today, we have numerous devices exposed to the internet, and so, the proper understanding of the network architecture is imperative. But, the hardest part is vendor, supply chain, or third-party risk management. The growing numbers of vendors and the continuous shift toward the cloud have really exacerbated the situation. Therefore, the presence of sound supply chain process with pre-contracting risk management is important to know about vulnerable zones and repair the security control gaps. In case of a lack in the control, risk rating the gap from both qualitative and quantitative standpoint is essential. Ultimately, the controlled or risk-rated gap needs to be aligned to a business risk register to enhance the chance of identifying and quantifying IT control gaps.

Could you elaborate more on the process of IT risk management, such as the components or the steps?

In my opinion, this historically complicated process is multilayered. The initial part can be risk stratification. During the process of purchasing a web application that may store a company’s data, by answering to the risk stratification questionnaire one can have an overall view of the most significant risk indicators. This process has immense importance since it sets future directions based on answers. As an instance, if every data is going to get exposed to the internet, it automatically becomes a pressing need to delve deeper into the technical details. Accordingly, if any service is going to get hosted internally, the risk quotient gets lower, and risk stratification turns into risk assessment. Then there are some cases where despite knowing the presence of some risk factors, no other way out remains but the acceptance of risk. The whole process is done through a risk acceptance form.

  During the process of purchasing a web application that may store a company’s data, by answering to the risk stratification questionnaire one can have an overall view of the most significant risk indicators  

Could you give us more insights about the risk management projects or process in your organization?

We are going to the process of formalizing exception management. We have created RAF or risk acceptance form and have attached it to our policies. Hence, everybody in the IT knows that if something outside of policy or standards is going to take place or if there is a need to accept risks that cannot be managed or mitigated, the RAF has to be filled up. So, the segment we are working to build out is the GRC (Governance risk and compliance) platform inside our service desk software. Eventually, the whole process of risk assessment can be tied to the application. Ultimately, working in tandem, IT system and risk management confirm an all-encompassing vision.

This kind of interconnectivity has led to an efficient work process, and has ensured the outcome of a detailed report of the risk assessments done in the last six months or how many high risks are there or how many exceptions are going to get expired in the next 30 days.

Please shed some more light on your experience in the space. What advice do you have for someone who is starting off in this field.

According to me, their first focus should be on understanding the control objectives that their respective organizations must use to assess the risk, and it depends on the framework that a particular organization leverages as it varies from industry to industry. Therefore, they should have a comprehensive knowledge of control objectives. For example, while moving to the access control, a newcomer should know every single detail associated with it as it is broad and leads to some critical concepts and practices. First, I can say of privileged access that determines what access does the domain admins, database administrators or web administrators have. This holds more importance than an average user of a system because they can actually administer it. So, frequent auditing of such access is important to ensure that it is appropriate. The next one I can talk about is multi-factor access that incorporates some necessary credentials: what the user knows (password), what the user has (device) and who the user is (biometric). The lack of such a layered approach might lead to significant control gaps, but I should mention here another situation. If any organization restricts the IP address to stop people from accessing any web application outside of the premises, multi-factor access does not remain a necessity, and this is a strong compensating control also. I will advise a new analyst or any inexperienced player in this field, to grow familiarity with such a layered approach because in today’s volatile milieu enterprise risk management has turned into an alpine hurdle to every sector irrespective of their nature and work process.

Read Also

Today's Threat Landscape Requires Adaptive Security

Today's Threat Landscape Requires Adaptive Security

Dan Joe Barry, VP Positioning and Chief Evangelist, Napatech
Staying Abreast of Application Development and Delivery

Staying Abreast of Application Development and Delivery

James F. Bal, CISSP, GICSP ,CISO, Western Area Power Administration
This Is How Your Computer Gets Hacked!

This Is How Your Computer Gets Hacked!

Mustapha A. Obeid, Information Systems Operations Manager, Illinois Institute of Technology