Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts tagged with IT Risk Management
Showing posts in English
Jeremy Ward | 01 Feb 2008 08:00:00 GMT | 0 comments

So you think that risk is all about security? Well, we deal with risks to our personal security every day – each time we cross the road! But ask someone to think about more impersonal risk, like that to IT, and it becomes difficult to define what we mean.

The latest Symantec IT Risk Management Report aims to build a common understanding about IT risk, which it views as consisting of four elements: security, performance, availability, and compliance. When most people consider the risk to their IT systems, they immediately think about security and the need to keep bad things out and good things in. However, the report shows that concerns about availability risk have now come to the fore—78 percent of participants saw it as a serious or critical risk to their business. This makes a lot of sense when you know what it can cost your business if you lose the availability of your IT...

Jeremy Ward | 30 Jan 2008 08:00:00 GMT | 0 comments

Today Symantec launched Volume II of the IT Risk Management Report, entitled “IT Risk Management – From Myth to Reality.” It analyzes the results of interviews with more than 400 IT executives and professionals from around the world during 2007. As the title implies, the report takes a look at the truth behind four common myths around IT Risk Management.

Myth One: IT Risk = Security Risk

The report clearly demonstrates that people really don’t believe this myth any more. In fact, most (78 percent) of those participating in the survey thought that availability was the most important aspect of IT risk. While more than half of the participants rated every risk element serious or business-critical, only 15 percentage points separated the highest and lowest elements.

Myth Two: IT Risk Management is a Project

Well, anyone who...

khaley | 24 Jan 2008 08:00:00 GMT | 0 comments

Social networking sites are an increasingly popular way for people to keep in contact with friends, family and business colleagues. These sites offer a rich set of features that enable users to share personal information as well as videos, music, and images with members of their network—all in the name of keeping their contacts updated with what goes on in their lives. Although the ability to share information and multimedia files are among social networking sites’ greatest strengths, hackers see these assets as new vectors to attack unsuspecting users.

With the increased use of these sites in the workplace, businesses should examine and understand the risks social networking sites pose to the enterprise. We developed this short Ask the Expert document to provide an introduction to the topic,...

Fabio Battelli | 03 Jan 2008 08:00:00 GMT | 0 comments

In recent times there has been significant growth in the intensity and complexity of legislation and regulation that relates to corporate governance. The US Sarbanes-Oxley Act has driven those companies that are quoted on the New York Stock Exchange into a detailed re-evaluation of their procedures for managing and reporting audit information. Similar regulation has been introduced for companies quoted on the London Stock Exchange. The effects of this regulation has not been confined to those organizations directly impacted. Because a business is expected to show due diligence in the management of all of its audit-related information it will need its business partners, particularly those with whom it has network connections, to meet the same stringent requirements.

An IT department has to move forward from the current service delivery focus to an extended due diligence perspective. This means higher costs to sustain audits and evidence collection and to...

Samir_Kapuria | 20 Dec 2007 08:00:00 GMT | 0 comments

I know, it sounds like the name of an old school rock band, but it’s not. It’s actually going to be one of the most pressing issues for IT in 2008. With millions beginning to enter the workforce from Generation Y, CIOs are scrambling to understand and address perhaps their greatest risk ever.

In 2007 IT is just beginning to get its hands around the concept of IT risk management and figuring out how to translate that for executives and the board. Now they’re confronted by the millennial worker, which is almost cause to rethink IT risk management all over again. Trying to implement IT risk management policies with a "Millennial" workforce—one with members who have been labeled as "risk takers"—is very problematic. In general most "Millennials" tend to believe in a "no-walls" approach when it comes to sharing information. Why shouldn’t all information be shared? Their strength is digital sophistication; some would even claim that...

Jennie Grimes | 07 Dec 2007 08:00:00 GMT | 0 comments

What does it take to get attention for IT initiatives in today’s enterprise? In most cases, it means making a compelling business case – and getting the right information to the right people in the right language.

IT risk management initiatives are definitely worthy of executive attention. Our economy is increasingly dependent on the Internet and IT systems, making the risks in these systems far more visible and significant than ever. But, it’s a discipline with a myriad of stakeholders: CIOs, CISOs, enterprise risk management teams, compliance and regulation staff, and internal and external auditors.

Step #1: Choose your words wisely
There are two types of CIOs – infrastructure managers and strategic thinkers. The latter will succeed with their IT risk management agenda because they speak in terms of business advantages, not outages. For example, rather than talking about a "zero day threat," consider simulating the impact of a...

Tim Gallo | 01 Nov 2007 07:00:00 GMT | 0 comments

I recently attended a pair of conferences in Las Vegas (yes, lovely Las Vegas). Not only was it hot, but because I was staying in one hotel and the conferences were in two other hotels, I had a long hike between where I was sleeping and where I was attending. Needless to say, walking through the desert heat I had lots of time to think about why I was dumb enough not to bring water with me, think about where the nearest air conditioning was, and also to think about things that I’ve said in front of crowds or things I’ve heard other people say. One of the most common phrases I heard at the conferences was “risk mitigation.” Well really, what does that mean?

I hear a lot of vendors talk about how they help clients mitigate their risks and how they use technical infrastructure to do so. But, should we mitigate risks? Well, let’s start with reminding ourselves what “mitigate” means. defines “mitigate” as: to lessen in force or intensity, as wrath, grief,...

Hon Tran | 04 Oct 2007 07:00:00 GMT | 0 comments

Organizations are experiencing rising incident rates across the areas of security, availability, performance, and compliance, with significant impact to revenue, reputation, productivity, and cost. According to the Computer Security Institute and the FBI, per-incident costs of unauthorized access to information averaged over $85,000 in 2006, and system downtime costs reached tens of thousands of dollars per hour. It doesn’t take long for one to recognize even good IT Risk Management practices may soon reach their limits.

So how can organizations advance from good to great IT Risk Management practice? The challenge lies in understanding their portfolio of IT risks, quantifying and prioritizing them against the organization’s risk profile, and developing an effective program of remediation activities.

The following five-step process can help organizations assess their levels of IT Risk, develop remediation roadmaps, and ultimately build effective, continuous IT Risk...

Hon Tran | 03 Oct 2007 07:00:00 GMT | 0 comments

A quick Google search of the term “risk management’ returns more than 75 million results, revealing a discipline of balancing risks and costs that has been in practice across many industries for decades. Ironically though, the phrase has not become commonly-used in the IT industry until recently.

Traditionally, we’re used to hearing about risk associated with the financial assets (insurance, credit, exchange rates, interest rates). But we are also noticing more focus in operational risk, where the primary driver is information technology.

As consumers and businesses become increasingly dependent on the Internet and IT systems, the risks in this infrastructure have become far more visible and significant. Breaches or failures of information systems cause serious business crises – reputation damage caused by identify theft, business losses stemming from system failures, and regulatory restrictions arising from compliance issues. Recent news coverage has focused on...

Ken Gonzalez | 11 Sep 2007 07:00:00 GMT | 0 comments

In my last installment, we examined the list of ITIL® v3 processes. Figure 1 (below) is an important tool to begin considering the expansion of the key ITIL process base. The names for the processes are listed on the left side and the relevant ITIL book across the top.

Figure 1 - ITIL v2-v3 Process Coverage and Mapping (click for larger image)

I built this map in an attempt to describe which of the core publications are needed when researching or trying to understand a given process area. This was not quick or easy, because:

• Process naming is somewhat inconsistent across the books;
• Content from the ITIL v2 Core is not a clear or direct mapping;
• Content from other...