Risk Management Strategies for IT Systems

Risk management has been around for a long time.  Financial managers run risk assessments for nearly all business models, and the idea of risk carries nearly as many definitions as the Internet.  However, for IT managers and IT professionals, risk management still frequently takes a far lower priority that other operations  and support activities.

For IT managers a good, simple definition for RISK may be from the Open FAIR model which states:

“Risk is defined as the probable frequency and magnitude of future loss”   (Open FAIR)

Risk management should follow a structured process acknowledging many aspects of the IT operations process, with special considerations for security and systems availability.

Risk Management Frameworks, such as Open FAIR, distill risk into a structure of probabilities, frequencies, and values.  Each critical system or process is considered independently, with a probability of disruption or loss event paired with a probable value.

It would not be uncommon for an organization to perform numerous risk assessments based on critical systems, identifying and correcting shortfalls as needed to mitigate the probability or magnitude of a potential event or loss.  Much like other frameworks used in the enterprise architecture process / framework, service delivery (such as ITIL), or governance, the objective is to produce a structured risk assessment and analysis approach, without becoming overwhelming.

IT risk management has been neglected in many organizations, possibly due to the rapid evolution of IT systems, including cloud computing and implementation of broadband networks.  When service disruptions occur, or security events occur, those organizations find themselves either unprepared for dealing with the loss magnitude of the disruptions, and a lack of preparation or mitigation for disasters may result in the organization never fully recovering from the event.

Fortunately processes and frameworks guiding a risk management process are becoming far more mature, and attainable by nearly all organizations.  The Open Group’s Open FAIR standard and taxonomy provide a very robust framework, as does ISACA’s Cobit 5 Risk guidance.

In addition, the US Government’s National Institute of Standards and Technology (NIST) provides open risk assessment and management guidance for both government and non-government users within the NIST Special Publication Series, including SP 800-30 (Risk Assessment), SP 800-37 (System Risk Management Framework), and SP 800-39 (Enterprise-Wide Risk Management).

ENISA also publishes a risk management process which is compliant with the ISO 13335 standard, and builds on ISO 27005..

What is the objective of going through the risk assessment and analysis process?  Of course it is to build mitigation controls, or build resistance to potential disruptions, threats, and events that would result in a loss to the company, or other direct and secondary stakeholders.

However, many organizations, particularly small to medium enterprises, either do not believe they have the resources to go through risk assessments, have no formal governance process, no formal security management process, or simply believe spending the time on activities which do not directly support rapid growth and development of the company continue to be at risk.

As managers, leaders, investors, and customers we have an obligation to ensure our own internal risk is assessed and understood, as well as from the viewpoint of customers or consumers that our suppliers and vendors are following formal risk management processes.  In a fast, agile, global, and unforgiving market, the alternative is not pretty.

Risk and Security in the Telecommunications Industry Series – Part 1

The worst case scenario – a strong earthquake strikes California, disabling the carrier hotel at One Wilshire, disrupting operations at submarine cable landing stations in both the Los Angeles area and central California, with a resulting tsunami hitting Hawaii, Guam, the Philippines, Taiwan, and Japan.

LA Hit by TsunamiCommunications are severed to most of the South Pacific, and severely degraded to allow for only emergency services and national defense usage within the west coast of the United States. Financial and government communications are disrupted and severely limited into Japan, Hong Kong, and China.

Telecom carriers in Singapore, Japan, Hong Kong, China, and Australia work frantically to restore cable, Internet, and telecom capacity from the Pacific submarine cable systems through the Indian Ocean to Europe and the US east coast. Seattle and San Francisco still have some connectivity, however cable systems from Grover Beach to San Diego are inoperable, limiting connections to those which were designed with automatic rerouting through North Pacific cable systems.

Sound crazy? No, it is not crazy, and there is a very good possibility a similar scenario will occur within our lifetime. In fact, when you look at the concern raised when the recent Los Angeles “Station Fire” threatened the telecommunications facility at Mt. Wilson many people were surprised at the potential disruption to both civilian and government communications if that facility were destroyed.

Los Angeles law enforcement uses the transmission towers to manage emergency communications throughout the LA area, fire departments, AM/FM radio stations, digital broadcast television stations – many were single threaded through Mt. Wilson as their primary local communications infrastructure. Not to mention the three letter federal agencies which use the facility for, well whatever they use it for…

Not a New Problem

Several US agencies have looked at this problem for many years. Agencies addressing the problem include the National Communications System (NCS), the Federal Communications Commission (FCC), the National Reliability and Interoperability Council (NRIC), the Department of Homeland Security (DHS), and an additional continuing special taskforce mandated by the president called the National Security Telecommunications Advisory Committee (NSTAC).

As recently as four years ago, an NSTAC report concluded “the telecommunications industry has shown that it is unlikely that a loss of assets in a single telecom hotel would cause a nationwide disruption of the (USA) critical telecommunications infrastructure.” Which may be true for the US infrastructure, as all major American carriers are interconnected at numerous locations scattered across the United States. In short, while the local LA community may be seriously disrupted in the event of the big earthquake, communications between Miami and New York would still be possible with little disruption.

AT&T, Sprint, Verizon, and QWEST are all well-meshed in their networks. As long as they are not sharing the same cable routes, or even in some cases the same actual cables, if the companies are subcontracting their long distance or local loops from other wholesale cable companies such as Level 3, XO, or Time Warner Telecom.

The International Factor

Ten years ago the United States could stand alone in our communications infrastructure. International communications were strong, and submarine cables were in use, however much of the international communications infrastructure was still done through use of satellites. Even if a submarine cable was disrupted, carriers could easily restore their communications through use of existing satellite restoral and recovery agreements.

Now, in the Internet age of high capacity telecom infrastructure, generally provisioned in multiples of 10 Gigabit per second links, satellite capacity has quickly become a fraction of the bandwidth driving international communications. Even the old telephone networks are being integrated by international and US carriers into their Internet infrastructure, often sharing the same circuits are streaming media, social networks, general web traffic, and other entertainment applications.

This will not be as easy to restore in the event California gets the big earthquake we all know is coming.

The Risks and Vulnerabilities Series

This series will look at several aspects of the telecommunications business, including:

  • International telecom vulnerabilities
  • Government interest, activities, and opinions on the risks and vulnerabilities of both US and international communications infrastructure
  • The role of the carrier hotel and internet exchange point in international communications
  • Interviews with people on the front lines of communication security
  • Recommendations for both the telecommunications industry, and the global user community

I look forward to reader comments, critiques, flames, constructive recommendations, and other ideas related to this discussion. Please add your comments to this blog, and I will ensure your voice is both heard and considered.

John Savageau, Long Beach

%d bloggers like this: