OBJECTIVE SESSIONUnderstand the significance of risk impacting project Knows about IT Framework for Existing and Project Risk Management (Definition, Using)

IT Risk management is the process that allows IT managers to balance the operational andeconomic costs of protective measures and achieve gains in mission capability by protecting theIT systems and data that support their organizations missions.

*

Uncertainty knownknown-unknownunknown-unknowns

Type Of Risk :

Impact toScopeQualityScheduleCost

*Sources Of RiskExternal, unpredictableExternal predictable, uncertaintyInternal-non technicalTechnical Legal

Process Of RMIT Risk management encompasses threeprocesses:1. Risk Assessment, 2. Risk Mitigation,3. Evaluation and Assessment.

Whos the PeopleIT Risk management is a management responsibility. Personnel who should support and participate in the risk management process.Senior ManagementChief Information Officer (CIO). System and Information Owners. Business and Functional Managers. ISSO. IT Security Practitioners

Where RM is needed?Banking : Credit risk, Market risk, Liquidity risk, Operational riskIT : Enterprise Architecture, IT Project, Software DevelopmentInsurance : Investmentetc

IT RISK MANAGEMENT PROGRAMNovember 16, 2006*IT Risk Portfolio Mitigation Likelihood Criticality Threats Risk AreasIdentification&MeasurementRisk ManagementMonitor Ability to Control Monitoring

Project Risk Management

Planning11.1 Risk Management Planning11.2 Risk Identification11.3 Qualitative Risk Analysis11.4 Quantitative Risk Analysis11.5 Risk Response PlanningMonitoring & Controlling11.6 Risk Monitoring & Control

Process Flow DiagramRiskIdentificationQualitativeRisk AnalysisQuantitativeRisk AnalysisRisk ResponsePlanningDevelop project management planRisk Monitoring& Control

IT RISK CONSIDERATION FRAMEWORK

Risk Considerations ImpactCriticality to Core Business Process Financial loss of revenue Strategic impact on future revenue streams Reputation Operational impact on delivery of business services Legal/regulatory/compliance financial penaltiesLikelihood Of Sustained Interruption Odds of the threat being realized Length of disruption & business criticality determine impact Considered when determining risk mitigation responseAbility to Control Outcome Ability to implement risk mitigation measures Effectiveness of risk mitigation measures Considered in the effectiveness of mitigation techniquesRisk Mitigation Alternatives Avoid Risk by not implementing technology Accept Risk if the cost outweighs the benefit Transfer Risk to third party Reduce Risk by Implementing Risk Mitigation Controls

IT Risk Summary

ThreatExposureMitigation StatusLowComplete, stable, monitoringData Center Power OutageMediumComplete, stable, monitoringHardware FailureLowComplete, stable, monitoringData Center Fire/WaterMediumComplete, stable, monitoringWW Data Network FailureLowComplete, stable, monitoringWW Voice Network FailureMediumActively strengthening Natural Disaster Service InterruptionHighActively strengthening Criminal Activity/Theft/VandalismLowComplete, stable, monitoringCivil Unrest & TerrorismMediumComplete, stable, monitoringSoftware errors affecting availability & integrity MediumActively strengtheningHuman ErrorsMediumActively strengthening Project ManagementMediumComplete, stable, monitoringBusiness System Change Control MediumComplete, stable, monitoringObsolescence MediumActively strengthening

Risk Management Framework COBIT version 4.0

NIST (National Institute ofStandard andTechnology ) 800-30

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation )

SummaryApa yang dimaksud dengan resiko?Mengapa berhubungan dengan ketidakpastian?Definisikan sumber-sumber resikoBerikan contoh ITRM di beberapa bidangMengapa dibutuhkan ITRM?Sebutkan aspek apa saja yang berdampak terhadap ITRM?Framework apa yang paling sesuai dengan kebutuhan ITRM di negara berkembang?

ReferenceIT Risk Management, SlayG. Stoneburner,A. Goguen and A. Feringa, Risk Management Guide for Technology Information System Recommendation of National Institute of standards and Technology special publication 800-30, July,2002The IT Governance Institute, USA, "COBIT 4.0", 2005.C.Alberts, A.Dorofee, Managing InformationSecurity Risks: The OCTAVESM Approach,Addison Wesley, USA, July 09, 2002.R. Flanagan and G. Norman, Risk management and Construction, Blackwell Science Ltd,London, 1996.ISACA, Information Security Harmonization:Classification of Global Guidance, USA, 2005.

Silabus:Framework ITRMRelasi ITRM dengan IT GovernanceRM Organisation aspectRM Information Information System Aspect RM Proyek Management AspectStudy kasus

**