We have stated in the previous section that risk management is a process that involves three distinct processes which are: assessing the risks, mitigating the risks and evaluating the risks.

 

Risk management is an important factor for the survival and growth of any organisation or business because it allows IT managers and upper management to balance the operational costs and economic costs of protective measures. By carrying out effective risk management, they can achieve gains in mission capability by protecting the IT systems and data that the support the mission (or missions) of the organisation.

 

In every well-established organisation, senior management should ensure that the organisation possesses the skills, strengths and capabilities required to accomplish its mission. Before an organisation can achieve its mission, it must first face a number of real world threats and be able to mitigate those threats in order to achieve its mission. It is the task of the mission owners (i.e. the organisation’s senior management) to determine the security capabilities that their IT systems must have in order to provide the desired level of mission support in face of real world threats. This is not always an easy task, because most organisations will have relatively tight budgets for IT security. This means that any spending related to IT security should be thoroughly reviewed to make sure money is being spent efficiently.

 

Note that risk management is not unique to the IT environment only. It is applied in everybody’s daily lives such as in home security systems whereby a person would invest on a home security system to protect their belongings.

 

In this section, you will learn about the key players in the risk management process in an organisation and the role that each of those would play in supporting and participating in the risk management process.

 

1. Senior Management

Senior management has the responsibility of ensuring that the required resources are applied in order to assist the organisation in accomplishing its mission.

Senior management is always focused on the mission of the organisation, and this would involve assessing and incorporating the results from the risk assessment activity into their decision making process. It is important to note that senior management is most likely non-tech savvy, and it is therefore the role of chief technology officers or chief information officers in the organisation to translate the technical requirements and technical analysis into simpler terms, without employing much technical jargon, so that senior management would understand what’s going on and plan accordingly.

 

2. Chief Technology Officer (CFO) and/or Chief Information Officer (CIO)

The role of chief technology officers and chief information officers in an organisation is not only limited to liaising with senior management and explaining to them what’s going on with regards to the IT systems and security measures being implemented. That’s because the CIO and/or CTO in an organisation is responsible for the planning, budgeting and performance of the information technology systems of that organisation. Any decisions made by the CTO and the CIO should be based on the risk management program implemented in that organisation.

 

3. System owners and information owners

System owners and information owners are people responsible for preserving the integrity and confidentiality of the information technology systems as a whole, as well as the data they own. They are also responsible for the availability of the IT systems and their own data. This means that the system and information owners are responsible for any changes implemented to their information technology systems such as major enhancements and changes to the IT systems, including changes to the hardware and software components.

 

4. Business Managers

Business managers and functional managers are responsible for the information technology procurement process and are therefore active players in the risk management process. The business and functional managers in an organisation hold the power and authority to make decisions to aid the organisation to accomplish its mission. They have the responsibility to ensure the organisation’s mission is accomplished with minimal expenditure of resources, while maintaining the appropriate security level for IT systems.

 

5. Information Technology Engineers, Administrators and Security Practitioners

Information technology security practitioners include but are not limited to network engineers, network administrators, IT systems engineers, IT systems administrators, computer specialists, security analysts, application administrators, database administrators, and security consultants. The main responsibility for these people is to ensure that the security requirements of their IT systems are properly implemented.

 

As organisations grow in size, and expand their facilities and IT infrastructure (such as expanding the network, modifying the existing infrastructure, implementing new policies in the organisation or introducing new technologies), information security practitioners should work on identifying new potential risks to the IT systems, and implementing new security controls to protect those systems.