IT Risk Management Course

Learning Goals
• Understand the risk management process
• Identify
• Assess/Analyze
• Treat/Control
• Communicate
• Monitor
Risk Identification
• Establish the scope and boundaries of the risk assessment process
• Identify the assets and systems that require risk assessment
• Determine the potential threats and vulnerabilities that may impact the
assets and systems
• Assess the impact and likelihood of the identified risks
• Prioritize the identified risks based on their severity and potential impact
• Document the identified risks and their associated information
Risk Analysis
• Gather more information about the identified risks
• Evaluate the risks against existing controls and risk tolerance levels
• Analyze the likelihood and impact of the risks
• Determine the potential consequences of the risks if they are not managed
• Assign a risk rating to each identified risk
• Document the results of the risk analysis process
Risk Treatment
• Identify and evaluate potential risk treatment options
• Select risk treatment options based on the risk assessment results
• Develop a risk treatment plan for each identified risk
• Obtain management approval for the risk treatment plan
• Implement the risk treatment plan
• Monitor and review the effectiveness of the risk treatment plan
Risk Communication
• Communicate the results of the risk assessment process to stakeholders
• Identify key risk communication objectives
• Develop a risk communication strategy
• Choose the appropriate communication channels and methods
• Prepare and distribute risk communication materials
• Evaluate the effectiveness of the risk communication strategy
Risk Monitoring and Review
• Monitor and review the effectiveness of the risk management process
• Collect and analyze feedback from stakeholders
• Identify and address any issues or concerns related to the risk management
process
• Review and update risk assessment results on a regular basis
• Assess the impact of any changes to the environment on the risk
management process
• Continuously improve the risk management process based on feedback and
new information
A Very Simple Example of Risk Documentation
(Risk Register)
Likelihood Impact Risk Level
Risk ID Risk Description (1-5) (1-5) (L x I) Mitigation Strategies
Unauthorized access to
Implement strict access controls, regularly review access logs,
IT-R-01 electronic health 3 4 12
conduct security awareness training for employees
records (EHR)
Malware or virus Regularly update antivirus software, conduct regular
IT-R-02 2 4 8
infections vulnerability scans, ensure all software is up to date
Data breaches resulting
Implement data encryption, restrict access to sensitive data,
IT-R-03 in loss of patient 2 5 10
conduct regular security audits
information
Network failures
Implement redundant systems, regularly test backup and
IT-R-04 resulting in system 4 3 12
recovery procedures, establish a disaster recovery plan
downtime
Develop and regularly test a disaster recovery plan, ensure
Inadequate disaster
IT-R-05 3 4 12 backup systems are up to date, establish communication
recovery plan
protocols in case of a disaster
Appendix
IT Risk Examples
Malware infection (e.g., ransomware, virus) - Third-party service provider failure (e.g., ISP, vendor) - Inadequate access controls and identity
impact: data loss, downtime; severity: high impact: disruption to services, data loss; severity: management - impact: data loss, unauthorized
medium to high
Cyber attacks (e.g., hacking, phishing) - impact: access, reputational damage; severity: high
data theft, reputation damage; severity: high Inadequate disaster recovery and business continuity
planning - impact: downtime, data loss, reputational Inadequate IT asset management - impact:
Insider threats (e.g., data theft, sabotage) - impact: damage; severity: high asset loss, data loss, reputational damage;
data loss, reputational damage, legal liability; Lack of IT governance and controls - impact: non- severity: medium to high
severity: high compliance, legal liability, reputational damage; Inadequate patch and vulnerability
Human error (e.g., accidental deletion, severity: high
management - impact: data loss, unauthorized
misconfiguration) - impact: data loss, downtime, Compliance and regulatory issues - impact: legal access, reputational damage; severity: high
reputational damage; severity: medium to high liability, fines, reputational damage; severity: high
Shadow IT (e.g., unauthorized software,
Hardware failure (e.g., server crash, power outage) Inadequate data protection and privacy controls -
- impact: downtime, data loss; severity: high impact: data loss, reputational damage, legal liability; BYOD) - impact: data loss, unauthorized
severity: high access, reputational damage; severity:
Software failure (e.g., bugs, glitches) - impact:
Unauthorized access to sensitive data (e.g., PII, medium to high
downtime, data corruption; severity: medium to
financial data) - impact: data loss, legal liability, Inadequate training and awareness programs -
high
reputational damage; severity: high
Network connectivity issues (e.g., outage, latency) impact: data loss, unauthorized access,
- impact: disruption to services, data loss; severity: reputational damage; severity: medium to high
medium to high Inadequate IT budget and resource allocation -
Cloud service provider outage (e.g., AWS, Azure) - impact: downtime, data loss, reputational
impact: disruption to services, data loss; severity: damage; severity: medium to high
high
Risk Register Ratings
Probability ratings: Impact ratings:
1: Insignificant - the risk event has minimal impact on
1: Highly unlikely - the risk event is not
the Ministry of Health's objectives and operations.
expected to occur.
2: Minor - the risk event has a slight impact on the
2: Unlikely - the risk event could occur, but it Ministry of Health's objectives and operations.
is not expected to happen. 3: Moderate - the risk event has a noticeable impact
3: Possible - the risk event could occur and on the Ministry of Health's objectives and operations.
there is a moderate chance that it might 4: Major - the risk event has a significant impact on
the Ministry of Health's objectives and operations.
happen.
5: Catastrophic - the risk event has a severe impact
4: Likely - the risk event is expected to occur, on the Ministry of Health's objectives and operations,
and there is a high chance that it will happen. potentially threatening its mission and existence.
5: Highly likely - the risk event is almost
certain to occur.