Introduction

To IT Risk Management

Disampaikan oleh
Dedy Syamsuar, PhD

1 IT Risk Management & Disaster Recovery

Why is IT Risk Management
important?
• Every organization has a mission. In this digital era, as organizations use automated
information technology (IT) systems to process their information for better support of
their missions, risk management plays a critical role in protecting an organization’s
information assets, and therefore its mission, from IT-related risk.
• Concerns about the possibility of compromise and/or the loss of proprietary
information have reached critical levels in many organizations in recent years
• Cyber attacks continue to be a source of significant exposure to organizations of all
types

2 IT Risk Management & Disaster Recovery

An Example Risk in IT world

3 IT Risk Management & Disaster Recovery

4 IT Risk Management & Disaster Recovery
An effective risk management process is an important
component of a successful IT security program. The
principal goal of an organization’s risk management
process should be to protect the organization and its
ability to perform their mission, not just its IT assets

5 IT Risk Management & Disaster Recovery

What is IT Risk Management?
• Information Security is defined as the set of mechanisms, techniques, measures,
and administrative processes employed to protect IT assets from unauthorized
access, (mis)appropriation, manipulation, modification, loss, or (mis)use and from
unintentional disclosure of data and information embedded in these assets
(Kouns & Minoli, 2011)

• Istilah yang sering digunakan

• ITRM (Information Technology Risk Management)
• ISRM (Information Security Risk Management)
• ISMS (Information Security Risk System)

6 IT Risk Management & Disaster Recovery

Other Definitions of ITRM
• Risk Management, in general, is a process aimed at an efficient balance between
realizing opportunities for gains and minimizing vulnerabilities and losses (Enisa,
2006)
• Risk management is the process that allows IT managers to balance the
operational and economic costs of protective measures and achieve gains in
mission capability by protecting the IT systems and data that support their
organizations’ missions (Stoneburner, 2002)
• "Risk management is the process of dentifying vulnerabilities and threats to the
information resources used by an organization in achieving business objectives,
and deciding what countermeasures, if any, to take in reducing risk to an
acceptable level, based on the value of the information resource to the
organization (ISACA, 2006).

7 IT Risk Management & Disaster Recovery

So, what is risk?
•Risk is a quantitative measure of the potential
damage caused by a threat, by a vulnerability, or
by an event (malicious or non-malicious) that
affects the set of IT assets owned by the
organization.

8 IT Risk Management & Disaster Recovery

The need to manage risk

Risk Methods, tools

& processes

Expert knowledge,
judgement & experience

Individual knowledge,
judgement & experience

System Complexity
Reproduced from [Higuera 1996]

9 IT Risk Management & Disaster Recovery

CIA …
Confidentiality Integrity Availability

protection against protection against protection against

unauthorized access, unauthorized blockage, limitation,
appropriation, or use manipulation, or diminution
of assets. modification, or loss (pengkerdilan) of
of assets. benefit from an asset
that is owed.

10 IT Risk Management & Disaster Recovery

Risk Management Process
•ITRM process aims to minimize or reduce
possible IT Risk through well-defined process
(akan kita bahas di pertemuan ke 3)

Risk Risk Evaluation

Identification

Risk Assessment Risk Mitigation

11 IT Risk Management & Disaster Recovery

An Example Risk in Software Things
• Many post-mortems of software project disasters indicate that
problems would have been avoided (or strongly reduced) if there had
been an explicit early concern with identifying & resolving high-risk
elements!
• An obvious cost factor!

Coba kunjungi forum “Risks to the

Public in Computer and related
system” di
http://catless.ncl.ac.uk/Risks

12 IT Risk Management & Disaster Recovery

Is IT risk management part of ERM
(Enterprise Risk Management)
• Strategy - high-level goals, aligned with and supporting the
organization's mission
• Operations - effective and efficient use of resources
• Financial Reporting - reliability of operational and financial reporting
• Compliance - compliance with applicable laws and regulations

13 IT Risk Management & Disaster Recovery

It is important to identify

What can go What can be

wrong ? done?

What is the
likehood it wil
What options
go wrong?
are available

What are the

consequences?

14 IT Risk Management & Disaster Recovery

Sources of software risk (systems
context)
Technology

Hardware Software

SYSTEM

People Schedule

Cost

Reproduced from [Higuera 1996] “Software Risk Management”,

Technical Report CMU/SEI-96-TR-012, ESC-TR-96-012, June
1996
15 IT Risk Management & Disaster Recovery
 Why is it often forgotten
• Optimistic enthusiasm at the start of projects
• Software process can lead to over-commitment &
binding requirements much too early on
• Premature coding / plan
• The “add-on” syndrome
• Warning signals are missed
• Legal implications
• Poor software risk management by project managers

16 IT Risk Management & Disaster Recovery

What is the Biggest Risk??

17 IT Risk Management & Disaster Recovery

What is the Biggest Risk??

Not knowing
what the risks
are!
18 IT Risk Management & Disaster Recovery
References
• Kouns, J., & Minoli, D. (2011). Information technology risk
management in enterprise environments: A review of industry
practices and a practical guide to risk management teams: John Wiley
& Sons.
• Whitman, M. E., & Mattord, H. J. (2011). Principles of information
security: Cengage Learning.

19 IT Risk Management & Disaster Recovery