IT Risk Management and IT Infrastructure Management

7/30/2019 IT Risk Management and IT Infrastructure Management

1/19

IT Risk Management and IT Infrastructure

Management

College: NMIMS, Mumbai

By:

Subhada ([email protected], 9769351414)

Nishant Kumar ([email protected], 9987542101)

Page | 1


2/19

INDEX

1. INTRODUCTION ..................................................................................................................3

2. IT INFRASTRUCTURE MANAGEMNT ............................................................................ 4

2.1 APPROACHFORIT INFRASTRUCTURE MANAGEMENT.................................................................. 5

2.1.1 Simplify the IT infrastructure..............................................................................5

2.1.2 Increase operational efficiency..........................................................................7

2.2.2 Retain and grow.................................................................................................7

3. IT RISK MANAGEMENT .................................................................................................... 8

3.1 INTEGRATIONOFRISKMANAGEMENTINTO SDLC ...................................................................... 8

3.2 RISK

ASSESSMENT

.................................................................................................................93.3 RISKCATEGORIES...............................................................................................................11

3.4 MANAGING RISK................................................................................................................ 17

4. CONCLUSION ....................................................................................................................18

5. REFERENCES ....................................................................................................................18

SUMMARY

We are more dependent than ever on IT to run our businesses, yet IT failures are

commonplace. At the same time, our IT environments are becoming more complex and hence

managing IT Infrastructure together with reducing exposure to all types of IT risk is

important.

Page | 2


3/19


4/19

operational and economic costs of protective measures and achieve gains in mission

capability by protecting the IT infrastructure and data that support their organizations

missions.

Minimizing negative impact on an organization and need for sound basis in decision making

are the fundamental reasons organizations implement a risk management process for their IT

systems. Effective risk management must be totally integrated into the SDLC (software

development life cycle). The fact is, if we dont do proper infrastructure management and

dont get IT risk under control, we put the entire business at risk. Thus optimised usage of

available infrastructure resources together with proper risk management is the call of the day

to ensure reduced cost in the present economic condition.

2. IT INFRASTRUCTURE MANAGEMNT

As the business grows, the number and complexity of the data processing systems and the

workload on the server room increases, placing greater demands on the IT infrastructure.

Increased demand means increased power consumption, and with rising energy costs, mid-

sized businesses are faced with the imperative to do more with their IT infrastructure for less.

The solution to the problem is to efficiently manage and optimize the available IT

infrastructure. By optimizing the IT infrastructure the business can be the recipient of many

benefits, including:

Energy cost savings

Reduced energy consumption

Improved efficiency

Maximized power consumption

Managed capacity

Shared resources

Reduced complexity

Lower unit cost

Page | 4


5/19

Easy administration

Fast response rate

2.1 Approach for IT Infrastructure Management

IT infrastructure management is the process of modifying the IT infrastructure so that it is

more consolidated, flexible and automated. An optimized IT infrastructure facilitates the

integration of new business applications. It fuels growth by managing costs with enhanced IT

asset utilization, reduces operating expenses and makes it easier to keep the entire IT

infrastructure in line with the growth objectives of the company. All businesses, regardless of

size, can enjoy the benefits gained from IT optimization. An effective approach to

infrastructure management involves three stages:

1. Simplify IT infrastructure and manages assets for a positive financial impact on the

corporate strategy.

2. Increases operational efficiency to enhance flexibility and maximize power consumption.

3. Retains and grows IT infrastructure to align with company business goals, without costly

renovations.

Simplification consolidates and virtualizes the IT environment, including servers, storage and

network assets, into logical asset pools to improve IT resource utilization and lower

infrastructure complexity. This provides you with a more complete view of data, which can

minimize costs. Increasing operational efficiency is essentially automating capacity and

workload management for increased flexibility. Ultimately, you achieve policy-based

computing, which results in better IT and business alignment. Retain and grow is a strategy

of realigning the IT budget by using savings in maintenance and operational costs to invest in

growth initiatives. Below the three steps are described in detail:

2.1.1 Simplify the IT infrastructure

Simplification includes consolidating and virtualizing the IT infrastructure to:

Page | 5


6/19

1. Reduce IT operating costs and complexity.

2. Maximize the performance of resources.

3. Manage the IT environment more easily and effectively.

4. Dispose of and recycle unused IT assets safely.

Some typical cost reductions associated with IT asset simplification include:

1. Server consolidation (4 to 1)

2. Storage consolidation (25%)

3. Support automation (30%)

Simplification of IT assets provides a consolidated view of data, regardless of where it is

housed, freeing up the valuable resources so that they can focus on exploring innovative ways

to gain competitive advantage. One can also reuse the assets more easily, which reduces the

cost of change in the IT environment. Simplification provides an architecture and platform

that centrally supports and manages applications that are currently maintained at different

sites. It also uses automated provisioning, which lowers costs by removing labor-intensive

tasks. This can dramatically improve the decision-making, increase productivity, improve

relationships with customers, partners and suppliers and create more uniform customer

service.

Virtualization is a significant component of asset simplification. When you establish multiple

virtual servers per physical server, you are likely to enjoy noticeable cost savings. With a

broad set of virtualization capabilities, including cross-platform virtualization, automation

and systems management solutions, mid-sized businesses like thes can simply and

dynamically access and manage resources for better asset utilization and reduced operating

costs. You can incorporate an intranet and extranet portal to share information to further

facilitate productivity improvements and cost savings. When the physical server utilization

rates increase, the virtual servers are provisioned quickly and automatically. Such automation

lowers the provisioning costs while letting the IT environment respond quickly to changing

business needs.

With automatic workload management, the IT infrastructure utilization rates can be highwithout the burden of costly labor-intensive manual system configurations. Utilizing multiple

Page | 6


7/19

virtual servers per physical server will also dramatically reduce licensing costs in many

configurations and facilitate administration.

2.1.2 Increase operational efficiency

When the technical resources are consumed with problem determination and resolution, it can

adversely affect efficiency and productivity. This is because identifying the root cause of

problems and rectifying them can be extremely time-consuming and very costly. The same

National Institute of Standards and Technology study showed that 80% of development funds

are spent identifying and fixing problems. Why does problem determination and resolution

claim so much time and money? Because many companies rely on manual processes to

identify and solve problemsmanual processes that can impair a companys

competitiveness. By reducing the time that the staff spends on problem determination and

resolution and by increasing the productivity of all technical resources, the IT infrastructure

and staff can promote rather than inhibit the on-demand business.

The benefits of increased operational efficiency include:

1. Better server and storage use

2. Less server redundancy

3. The cost savings of automated provisioning

4. IT assets that are aligned with business requirements through orchestration

2.2.2 Retain and grow

IT budgets have two components: spending on new initiatives and spending to operate and

maintain IT organizations, systems and equipment. As stated earlier, companies typically

spend approximately 80% of their budgets on maintenance and operations, leaving very little

for new projects, such as integrating business processes with key partners, suppliers and

clients. IT managers are seeking help to align IT resources and budget to focus on supporting

the strategic objectives of the company.

Page | 7


8/19

As you reduce the complexity and improve how the IT assets are used, the maintenance and

licensing cost savings can be reallocated from routine operating expenses to strategic

investments, such as innovative technologies, services, techniques and strategic opportunities.

By integrating existing systems into a flexible IT infrastructure, you are giving IT the tools to

respond to changing business priorities rapidly. By integrating the data, you can send a

unified view of information to the right people at the right time, helping them to make

informed business decisions based on the best and most comprehensive data.

Another IT asset that you may wish to optimize is the Web site. It is not only a

communication and support tool for customers, but it is also a communication tool for

investors and suppliers, so it must be fast, reliable and fully functioning 24x7.

3. IT RISK MANAGEMENT

IT Risk management is the identification, assessment, and prioritization of risks followed by

coordinated and economical application of resources to minimize, monitor, and control the

probability and/or impact of unfortunate events. Because IT risk is limited to security, it

enables organizations to identify weak or overlooked risk domains. The risk can be divided

into four categories business disruption, relational, technology, and IT governance. Thus,

in this context an IT risk is the potential for exposure to loss for the organization from a

failure in any aspect of the IT environment, and falls within risk domains of business

disruption, relational, technology, and governance.

3.1 Integration of risk management into SDLC

Minimizing negative impact on an organization and need for sound basis in decision making

are the fundamental reasons organizations implement a risk management process for their IT

systems. Effective risk management must be totally integrated into the SDLC. An IT

systems SDLC has five phases: initiation, development or acquisition, implementation,

operation or maintenance, and disposal. In some cases, an IT system may occupy several of

these phases at the same time. However, the risk management methodology is the same

regardless of the SDLC phase for which the assessment is being conducted. Risk

Page | 8
http://en.wikipedia.org/wiki/Riskshttp://en.wikipedia.org/wiki/Risks


9/19

management is an iterative process that can be performed during each major phase of the

SDLC as shown below:

3.2 Risk Assessment

Risk assessment is the first process in the risk management methodology. Organizations use

risk assessment to determine the extent of the potential threat and the risk associated with an

IT system throughout its SDLC. The output of this process helps to identify appropriate

controls for reducing or eliminating risk during the risk mitigation process. The risk

assessment methodology encompasses nine primary steps:

Page | 9


10/19

Page | 10


11/19

3.3 Risk Categories

Generally speaking, organizations today must address four main types of IT risk:

3.1.1 Business Disruption Risks:

Business disruption risks include malicious attacks and online privacy issues, as well as

external events that could hinder a firms continued operations. It can be of four types:

Business continuity risk : Poor or inadequate planning on ITs part remains a major

business continuity risk. On the other hand, one CISO observed that the business is at

risk of solely associating business continuity planning (BCP) with IT recovery at the

expense of ignoring logistical and resource issues outside of ITs direct control (e.g.,

accessing Rolodexes kept in a locked desk that is no longer accessible). Insufficient

resources driven by a short business attention span that is only galvanized by disaster

is another business continuity risk and hinders BCP from being taken seriously.

Finally, inadequate BCP on the part of a supplier, vendor, or business partner can be

the Achilles heel of even the most thorough BCP effort because of increasingly

interdependent relationships with third parties.

Page | 11


12/19

IT security risk : IT security risks are growing as the reasons and means for disrupting

business increase. However resource cutbacks have hamstrung some security

organizations from dealing with new security threats or reacting quickly to attacks.

Because IT security risk is rarely on the mind of the business unless there are

significant breaches in the news, it is hard for the business to understand residual

security risk and allocate resources accordingly.

Online risk: Limiting customer input or access to company Web sites is the easiest

way to deal with some aspects of online risk, especially when the company Web site

is more informational than interactive. However, firms that conduct financial

transactions or process customer credit card data online not only must develop

standards and controls to protect their Web sites from hackers and the like, they also

must educate their customers about best practices for protecting their privacy and

personal information when surfing their Web site. And the risks in the online world go

beyond security-related risks to encompass branding, reputation, and even broader

compliance risks such as American Disabilities Act (ADA) compliance.

Information risk : Its hard to overestimate the impact of a loss or breach of

information. Not only is an incident embarrassing, there are regulatory and legal

consequences as well. To prevent unauthorized access or disclosure, firms need to

develop controls that address the accuracy, mobility, modification, and access of

information. The challenge is educating each level of the business on the sensitivity of

the info it possesses so that it can then recognize what should be protected. As part of

educating the business, one state agency hosts a computer security day and a

computer awareness competition.

3.2 Relational Risks:

Relational risks emerge from dependency on third parties and the business perception of IT

as shaped by the frequency of service disruption and the effectiveness of ITs

communications.

Page | 12


13/19

Vendor management risk : Vendor management risks include vendor selection,

requirements, influence, and stability. Poor vendor selection can lead to misused

resources, strained staff, and service disruptions or delays. If IT omits vendor

requirements from the service-level agreement (SLA) or the vendor does not

understand them, the organization is at risk especially if the vendor has sloppy

risk management practices that could expose the firms information or IP to loss

or improper access. Firms also worry that they will not have the clout to keep the

vendors attention from driting to other product areas. If the vendor goes out of

business, how will that affect your organization and the support expected?

For example, VoIP, there are more than 200 vendors that offer services. Within

the next 10 years, there will be five. I need to pick the right one today and hope

they are still around because I know that my decisions will be available three

years down the road. (Director of IT security, Governmental agency).

Third-party relationship risk : Distributed business tears down defined organization

boundaries. Organizations have been reengineered, outsourced, and established a

myriad of business relationships to partners and suppliers that significantly add to

the risk complexity within IT. Similar to the risks generated by vendor

relationships, companies face the risk of not defining requirements, the risk of the

other party not understanding what is expected of them, and the risk of not

monitoring ater the SLA has been signed to ensure the agreement is being

followed. Businesses are also at risk if they have not built in security controls for

third-party human resources into their contracts and SLAs to protect them from

liability.

IT reputation/customer satisfaction risk : Major service interruptions and incidents

erode ITs reputation with the business and complicate ITs efforts to position

itself as a value generator. Likewise, business perception of IT suffers when it

does not deliver cost-efficient, timely solutions that meet new business needs and

fulfill existing SLA commitments. When IT tries to assess business perception, it

often relies exclusively on customer satisfaction surveys that never really address

the main concerns of the business. In one energy organization, even people in IT

Page | 13


14/19

are skeptical because customer satisfaction results are in the 1990s but dialogue

with the business paints a different picture.

3.3 Technology Risks:

Technology risks include ITs ability to keep pace with new technology, manage and

develop projects that address business needs, implement business changes in a responsible

manner, and maintain a standardized but flexible IT infrastructure.

IT agility risk : IT agility is sometimes constrained by the business openness to

innovation. On the other hand, more organizations have the opposite problem

where the business is willing and able to innovate but the IT culture resists

innovation. If IT drags its feet implementing change, it has to play catch up to the

business and becomes a source of frustration instead of a partner in innovation.

IT architecture risk : Architecture risk involves properly defining the architecture

and developing standards that provide structure but do not constrain flexibility.

The risk here is that firms will not upgrade old technologies quickly enough to

meet the technical needs associated with business change. A corresponding risk is

that the business will not want to follow the established architecture, preferring

short-term tactical needs over long-term architecture strategy.

Change execution risk: The major risk is that change management processes for

infrastructure or apps are either absent or not followed. One information security

specialist pointed out that there is a direct correlation between the enforcement of

change management processes and the availability of systems and integrity of the

environment. Without vigilance, business customers may try to beat the system

to avoid following established processes. In addition, some organizations engage

in so many drastic changes that they have unnecessary, expensive service outages

while others are so comfortable with the familiarity of existing infrastructure they

miss possible improvements.

Page | 14


15/19

Project development risk : he business may take a hands-offapproach to project

management because they do not understand the importance of being involved

throughout the process or are content because project planning ran smoothly. If

business priorities shit and they do not communicate this to IT, project developers

may design an expensive, irrelevant project that no longer meets business needs.

3.4 IT Governance Risks:

IT governance risk is nearly universally recognized as an important risk for businesses

regardless of industry. Without a strong governance structure in place, firms will be unable to

mitigate the IT risks associated with other domains.

IT strategic risk : IT strategic risk results from a lack of alignment with the

business, inconsistent compliance with governance standards, or a loss of control.

In some cases, the business pays lip service to the ideal of IT governance while

not providing adequate resources or completely disregarding IT governance

standards when there is an attractive business opportunity. Differences in

governance between the firm and associated third parties also put the firm at risk

of losing control of its information, services, and critical resources.

IT resources risk : Major risk areas include finding the right people, right skills,

and right funding. Due to the specialized skills required, IT security professionals

and quality control specialists are in high demand and low supply and therefore

paid accordingly. Firms risk losing their best people to competitive salary offers.

For firms that outsource, there are risks associated with finding the right vendor to

match the skills needed by the organization as well as determining which skills

should be outsourced. In addition, IT must identify internal employees with

leadership skills and technical know how to guide the vendors appropriately. From

a funding perspective, IT organizations face a triple challenge: getting adequate

funds from the business, allocating resources quickly enough to keep pace with

evolving business requirements, and managing the resources they have been given

effectively.

Page | 15


16/19

Compliance/legal risk : The real challenge for IT is to not only be aware of

regulations and regulatory changes like SOX and HIPAA, but to modify processes

in a timely manner to keep pace with them. Therefore, IT must manage the risks

of compliance as a process, not as individual projects. The dynamic nature of

business and IT requires that organizations stay on top of requirements to keep

abreast of the pace of business and technology change. Firms that operate in

multiple jurisdictions also face the complexity and resource drain of conflicting

regulations and duplicative audits. Even domestically there is regulatory overlap

that unwittingly contributes to inefficiency and strains IT resources. Some

business opportunities may be passed over due to the expensive or onerous

compliance requirements they trigger.

All these four types of IT risk are increasingly interrelated and important to just about

everyone in the organization. For example, IT Directors and Managers are on the front lines

when IT failures occur. They see how patches must be rolled out in a compliant manner to

protect systems from security threats, or how data protection practices designed to improve

availability might impact network performance and create security vulnerabilities if data isnt

encrypted. Its all connected. Also as IT failures become synonymous with business failures,

IT risk is becoming a topic within the boardroom and the executive suite. In fact, companies

such as FedEx, Proctor and Gamble, and Home Depot have even established special board

committees whose sole purpose is management of IT risk.

Page | 16


17/19

3.4 Managing Risk

To address all the aspects of IT risk, the IT department needs to craft and implement a

holistic IT risk management strategy that incorporates assessment, accountability,

measurement, and management. Afive-step approach to managing IT risk is suggested. The

cornerstone of the approach is this belief: When an organization successfully manages IT

risk, it is better able to use IT to compete and innovate with confidence.

1. The first step is to develop an awareness and understanding of specific IT risks to

your business security, availability, performance, and compliance.

2. The second step is to quantify risks through an impact assessment and develop a

business case for IT investment. Impact can take many forms, including customer

losses, business losses, damage to brand equity, legal costs, and regulatory fines.

3. Next, companies should understand the range of tools they can apply to managing IT

risk and design a solution. Technology is clearly an important component of the

solution, but just as important are tools that address the human elements of an IT

system, including training and operational processes.

4. The fourth step is to align IT risks and costs with the business to find the right level ofinvestment and implement the solution. Obviously we cant afford to apply the

highest levels of protection to every IT risk we identify.

5. The last step is to develop a systematic ongoing capacity to manage IT risk. Its not a

project but an ongoing activity that must be built into the culture of the organization.

Page | 17


18/19

Fig: Managing Risk

4. CONCLUSION

In this era of stiff competition, to survive one has to reduce its cost of running the business as

compared to its competitors. An important task in hand is thus to manage its available

infrastructure well together with minimizing its risk. This paper highlights the ways to

optimize use of available infrastructure together with means to identify risk and to mitigate

the same.

5. REFERENCES

1. www.ibm.com

2. www.symantec.com

3. www.unisys.com

4. www.forrester.com

5. www.thinkstrategies.com

6. www.wikipedia.org

Page | 18


19/19

7. www.best-management-practice.com

8. www.zdnet.com

Page | 19

Documents

IT Risk Management and IT Infrastructure Management