As part of their risk management initiatives, businesses have long tried to identify hidden risks, measure their potential impact and take measures to prevent those with significant consequences. Increasingly, companies are applying the same degree of risk management scrutiny to their IT operations as they have in other critical areas of their business. They are realizing that the risks associated with IT have just as significant of an impact on the business as do other operational activities. The impacts of system downtime, compromised data, failed audits and poor data integrity are just a few of the factors that cause companies to lose brand goodwill, incur increased costs, face expensive litigation and miss revenue opportunities. Global operations, distributed computing environments, heterogeneous components in the IT infrastructure, frequent changes to mission-critical systems, security mandates and multiple, overlapping compliance imperatives make managing IT risk a challenging endeavor. Even minor incidents can have a major impact. But, IT control automation and validation can help if the appropriate strategy and supporting technologies are in place. 数据挖掘研究院
Figure 1: The "4C" Success Strategy
With millions of events on hundreds of servers in dozens of locations across the enterprise, IT risk management is too error prone and costly to tackle without the right approach. Applying the "4C" strategy to enterprise risk management will improve the chances of success. A comprehensive, continuous, closed loop and consolidated enterprise risk management strategy for IT is the right way to capture all enterprise activity as soon as it happens, detect unauthorized actions and take corrective action. 数据挖掘研究院
Comprehensive
Comprehensive enterprise IT risk management should identify who are performing actions, what they are doing and exactly when and where they are conducting their activity. Enterprise risk management also needs to embrace the complete set of IT controls in the organization across the entire IT infrastructure.
Most IT control products either only incorporate some element of IT controls or are concerned with only a specific type of IT infrastructure component as shown in the example below of common toolsets. For example, application access and control applies to only one control, segregation of duties, and to only one IT component, applications.
Application access and control ensures segregation of duties.
Security policy offers audit and compliance specifically for security configurations
Security information and event management focuses on event and log analysis for network and security devices.
Database compliance audits database activity including data access, data changes and changes to database structure.
While these various product sets are very useful for solving specific IT control issues, they do not fully address the requirements for enterprise risk management. Given limited resources, IT needs the ability to categorize and prioritize violations across the full set of IT controls including change management, emergency access, direct access, database access, segregation of duties, security and configuration management and job scheduling, to name a few. Further, activity monitoring should be available across the entire IT infrastructure, not just limited to specific applications, databases, devices, directories or files. 数据挖掘研究院
Individual focus on a limited number of controls or a particular component of the IT infrastructure limits an organization′s ability to mitigate risk. Having complete knowledge of IT control violations that are happening throughout the entire IT environment is the only way staff can easily make decisions about which controls pose the most risk to the organization so that they can set the priorities that will provide the most benefit to the business. Some degree of risk is acceptable because it simply costs more to prevent it than if the risk actually happened. Knowledge of the time and frequency of a wide arrange of events will help managers more accurately assess IT risks.
Continuous
Manual IT control monitoring involves a time-consuming, labor-intensive review of system and database logs. And, because of the sheer volume of data, reviews typically only cover a small sample of events. Therefore, organizations do not have access to timely and accurate IT control information. Risk is high because as the time window for unacceptable control violations grows, so does the damage to the company.
Even some automated solutions present the same problems as manual control auditing. For example, older snapshot models that make comparisons between two different points in time are also likely to miss important events because they can, at most, report only one change during the snapshot interval. One way to reduce missed events with a snapshot approach is to take snapshots more frequently. Unfortunately, frequent snapshots can be a significant performance drain on production systems. In addition, more frequent baselines do not eliminate the chance of missing events - users just need to make more than one change between snapshots, and the first change is masked by the second.
Continuous monitoring means real-time, event-driven data collection performed 24/7. Continuous monitoring is a necessity to immediately identify potentially catastrophic events such as security breaches or outages caused by user activity. Events that do not meet IT policies or rules are collected directly from the infrastructure and alerts are sent for issues that require urgent attention. 数据挖掘研究院
Strong risk management must be as proactive as possible. This means using the timeliest information possible to make decisions, indicating the need for continuous monitoring. The sooner an organization knows what is happening in its IT infrastructure, the better it is prepared to more quickly take corrective action. To realize the importance of continuous IT control monitoring, just think about the cost of one hour of downtime for a mission-critical application. 数据挖掘研究院
Closed Loop
Many companies use change management systems to record what is supposed to happen by identifying, planning, assessing, approving and assigning changes in a centralized system. This use ensures that change activities are communicated, coordinated and have minimal negative impact on the overall business. However, change management systems cannot validate change activities once an approved change request has been assigned to an individual. Did the change actually get completed? Is there a change request associated with an observed change? Further, many changes are conducted without the appropriate approvals from the change management process and, therefore, are never entered in the change management system. Not knowing what really happened adds to enterprise risk. 数据挖掘研究院
Meeting IT control objectives for enterprise risk management involves new dimensions of understanding change activity. Closed-loop change management is a compliance strategy that automates the discovery of what was supposed to happen and what really did happen to reduce the time and effort for IT audits. By leveraging and extending the capabilities of change management systems, every change can become a test of a change control process to:
Catch unauthorized changes and direct access. By comparing detected changes with approved change requests from a change management system, a closed-loop solution immediately reports unauthorized activities, including the individual associated with the change.
Report that approved changes were actually completed. Once an individual completes a change, the closed loop solution will then report all of the activities associated with the approved change request in a change management system.
Consolidated
A consolidated system is an important foundation for enterprise risk management for IT. Policy definition, administration, reporting and storage are best served by a single system rather than point solutions or paper-based reports. 数据挖掘研究院
Policies define the desired IT controls in an organization and who to notify when they exceed acceptable thresholds. Increasingly, standards-based control frameworks, such as COSO, COBIT, ITIL and ISO 17799, and government and industry regulations, such as Sarbanes-Oxley, Gramm-Leach-Bliley and Basel II, are adding to the number of policies a company must define and monitor. And, risk management itself is a continuous process that requires frequent modifications to policies. 数据挖掘研究院
A single point of policy administration and reporting in a consolidated system helps to reduce the cost and complexity of managing enterprise risk. Policies are easier to define, review, update and version. Comprehensive rep orting highlights best practice and controls violations, enabling companies to take immediate action when there is an issue and to continually refine their IT processes to reduce risk. Because consolidated solutions allow a single team to oversee and evaluate risk, they lead to improved accountability and mitigation. 数据挖掘研究院
A single, integrated data repository for centralized audit IT reporting and analysis is a necessary backbone to achieve enterprise-level risk management. Combining activities across the distributed environment into one database makes it much more efficient to execute queries against multiple heterogeneous sources. The operational and compliance teams know exactly where to go to get the answers they need, and they have a single, authoritative source of record.
Detection and reporting of unauthorized changes and out-of-compliance actions on the IT infrastructure will ensure better enterprise risk management for IT activities. Applying the "4C" strategy - comprehensive, continuous, closed loop and consolidated - makes IT control automation and validation not only more effective, but also less costly and resource intensive. 数据挖掘研究院
