Odds Are (cont.)

Taking the risk out of IT risk management

"We have over 250 networked applications that range from a few users up to the 5,000 users of its largest patient information system," says Bob Burritt, network and technology manager. As a healthcare provider, Kettering must ensure it's providing a secure environment for users and for all the data associated with those applications.

"If you have poor security practices, you're going to end up having to spend a lot of money trying to mitigate risks. We're using Symantec to help us meet HIPAA compliance requirements as well as implement best practices from a security standpoint," says Burritt. "Symantec helps us implement as many security best practices as possible. The higher the risk, the higher the level of security that needs to be there."

For many companies, consulting services can provide the foundation needed for leveraging best practices. Kettering uses Symantec DeepSight Analyzer service to help its security staff manage global threats. It also uses Symantec Managed Security Services to continuously monitor and manage the hospital's intrusion prevention appliances.

Another area where organizations can gain a quick return on investment in terms of risk management is ensuring the consistency of their environment. Many management technologies provide the opportunity not only to configure and manage IT components efficiently, but they can be an integral part of an IT risk management strategy.

"We use Symantec Enterprise Security Manager when we build our servers, so we can make sure they're living up to a certain level of policies and that the policies are consistent for all the servers in the field," says Burritt. "It also helps whenever we do upgrades, since we can verify that the upgrade hasn't affected a certain level of policy or operating system component we need to have in place."

For smaller organizations, Burritt believes that annual security and risk assessments are a good starting point. "An audit done by an outside company is a good idea, especially for organizations that don't have large budgets," says Burritt. "I think it's important to have audit capabilities in key systems and areas, so when there's an issue, you can go back and figure out what happened. For example, most of our applications have audit capabilities. From an external standpoint, we're using Symantec Network Security 7100 Series intrusion prevention appliances and Symantec Managed Security Services to monitor our intrusion detection system so that when someone is trying to penetrate our systems, it will alert us of anomalies and we can mitigate those risks."

Ongoing protection

Managing IT risk requires an ongoing commitment to evaluating potential risks periodically and working with business leaders to define and implement appropriate mitigation options. On the IT side, it requires a close link between metrics used to gauge risks and the context from which those metrics come. The closer an organization is to creating a unified environment for measuring, monitoring, and understanding risks, the more effective the risk management process will be.

"The correlation of the context of the IT environment is necessary in order to prioritize risk management. This requires analysis based on objective measures, such as assigned metrics to more sensitive aspects of the IT environment," says Scott Crawford, senior analyst for Enterprise Management Associates. "Tools that automate such processes are helping enterprises automate the complex and difficult task of prioritizing IT risk mitigation, which in turn enables more strategic risk management."

David A. Kelly's work also appears in the New York Times.