The top five mistakes to avoid while planning an it risk assessment

PMI Virtual Library © 2010 Larry Marks

The Top Five Mistakes to Avoid While Planning an IT Risk Assessment
By Larry Marks, PMP
What is an IT Risk Assessment?

T

here are several reasons to perform a risk assessment for a firm’s IT activities and resources. First, an IT risk assessment is intended to help IT management: 1. Better allocate resources and perform capital budgeting 2. Assignresources based on a risk-based approach. Second, various regulatory authorities, such as the Federal Financial Institutions Examination Council (FFIEC), BASEL, Securities Exchange Commission (SEC), and the Financial Industry Regulatory Authority (FINRA) require

risk assessments be performed for all financial institutions. For example, see below. What Can Go Wrong While Executing an IT RiskAssessment? Following is my list of the five mistakes to avoid while planning or executing an IT risk assessment: a. Project Plan Supplied by Terminated Employees; What Are the Tasks?

“A

financial institution establishes and maintains truly effective information security when it continuously integrates processes, people, and technology to mitigate risk in accordance with risk assessment andacceptable risk tolerance levels. Financial institutions protect their information by instituting a security process that identifies risks, forms a strategy to manage the risks, implements the strategy, tests the implementation, and monitors the environment to control the risks.” Page 1, FFIEC IT Examination Handbook: Information Security “A strong security program reduces levels of reputation,operational, legal, and strategic risk by limiting the institution’s vulnerability to intrusion attempts and maintaining customer confidence and trust in the institution…. Examiners and risk managers should incorporate security issues into their risk assessment process for each risk category. Financial institutions should ensure that security risk assessments adequately consider potential risk in allbusiness lines and risk categories.” Page 9, FFIEC IT Examination Handbook: Information Security “Information security risk assessments …should identify the location of all confidential customer and corporate information, any foreseeable internal and external threats to the information, the likelihood of the threats, and the sufficiency of policies and procedures to mitigate the threats.” Page 21,FFIEC IT Examination Handbook: Management

Scenario: Several days after I was hired to help operationalize a risk framework that had been developed, the base-lined project plan was presented to me by the project management office. Included in the plan were tasks that were agreed on by the sponsor, program managers, and project office and for which we did not understand the origin. The otheraffected parties could not explain these tasks to us. Lessons Learned: We received buy-in from the sponsor, program managers, and project office to modify the project plan if there were tasks that did not appear relevant to the framework; one of these tasks was “training of affected users.” We weren’t asked to re-baseline the project plan. The sponsor, program manager, and project office realizedthat an effort was needed to implement the project plan and indicated that the re-baselined project plan with best practices in mind (“what should be done?”) was not immediately needed to implement the framework, so we removed the task because it was irrelevant in planning the risk assessment. b. Lack of Buy-In from Sponsors and Affected Parties Scenario: We were asked to set up the organizationalstructure and plan and execute IT risk assessments throughout the firm and its subsidiaries; however, the sponsor and affected management team were unaware of the: 1. Rationale for executing the risk assessment. 2. Benefits to be derived in executing the risk assessment Lessons Learned: We convened numerous meetings with the interested parties (in this case, the sponsor and members of the project...