Wednesday 19 April 2017

Management involvement in risk assessment


Abolishing negative impact on any organization and necessity for sound basis in decision making are the fundamental reasons software companies in India implement a risk management process for their IT systems. Risk management is a management responsibility.

This article describes the key roles of the personnel who should support and participate in the risk management process.
Senior Management
Senior management, under the standard of due caution and crucial responsibility for mission accomplishment, must make sure that the necessary resources are effectively applied to develop the competences needed to complete the mission. They must also assess and fit in results of the risk assessment actions into the decision making process. An actual risk management program that assesses and alleviates IT-related mission risks requires the support and contribution of senior management.

Chief Information Officer (CIO).
The CIO is accountable for the agency’s IT planning, accounting, and performance including its information security modules. Decisions made in these areas should be grounded on an effective risk management program.

System and Information Owners.
The system and information owners are accountable for ensuring that proper controls are in place to address integrity, confidentiality, and availability of the IT systems and data they possess. Typically the system and information owners are liable for alterations to their IT systems. Thus, they usually have to support and sign off on changes to their IT systems (e.g., system enhancement, key changes to the software and hardware). The system and information owners must therefore realise their role in the risk management process and completely support this process.

Business and Functional Managers. 
The managers accountable for business operations and IT procurement process must take an active role in the risk management process. These managers are the folks with the authority and responsibility for making the trade-off decisions vital to mission accomplishment. Their involvement in the risk management process empowers the achievement of proper security for the IT systems, which, if managed appropriately, will deliver mission effectiveness with a minimal expenditure of resources.
ISSO
IT security software package managers and computer security officers are in charge for their organizations’ security programs, including risk management. Consequently, they play a prominent role in introducing an appropriate, structured methodology to aid identify, evaluate, and minimize risks to the IT systems that support their organizations’ missions. ISSOs also perform as major consultants in support of senior management to make sure that this activity takes place on a continuing basis.
IT Security Practitioners
IT security practitioners (e.g., network, system, application, and database administrators; computer consultants; security analysts; security consultants) are in authority for proper implementation of security necessities in their IT systems. As changes happen in the existing IT system environment (e.g., growth in network connectivity, modifications to the existing infrastructure and organizational policies, introduction of innovative technologies), the IT security practitioners must support or utilize the risk management process to recognize and assess new probable risks and implement new security controls as required to safeguard their IT systems.
Security Awareness Trainers (Security/Subject Matter Experts)
The organization’s personnel are the operators of the IT systems. Use of the IT systems and data according to an organization’s policies, guidelines, and rules of behaviour is serious to mitigating risk and protecting the organization’s IT resources. To reduce risk to the IT systems, it is essential that system and application users be delivered with security awareness training. Therefore, the IT security trainers or security/subject matter professionals must know the risk management process so that they can develop appropriate training materials and add in risk assessment into training programs to educate the end users.

Software companies in India need an extensive management as well as personnel support in order to execute risk management program with sheer success resulting into abolishment of uncertainty and risks along with suitable backup plans.