Risk Management in IT Services

INOSERV

Mário Lavado

www.inoserv.pt

Definitions ISO 20000 IT Service Risk

• 3.2.5 Risk Effect of uncertainty on objectives [ISO 31000]

• 3.2.6 Service Means of delivering value for the customers by facilitating results the customers wants to achieve

• 3.2.8 Service continuity Capability to manage risks and events that could have serious impact on a service or services in order to continually deliver services at agreed levels.

11/5/2015 www.inoserv.pt 2

Risk-based thinking

• Risk-based thinking ensures risk is considered from the beginning and throughout

• Risk-based thinking makes preventive action part of strategic and operational planning

• The concept of risk has always been implicit in ISO/IEC 20000

11/5/2015 www.inoserv.pt 3

Service Management System ISO/IEC 20000

11/5/2015 www.inoserv.pt 4

Risks in ISO/IEC 20000-1 Clause Description

4.1.1 g) Management responsibility

Top management shall provide evidence of its commitment … by ensuring that risks to services are assessed and managed.

4.5.2 j) Plan the SMS (Plan) The service management plan shall contain or include a reference to at least …. approach to be taken for the management of risks and the criteria for accepting risks;

4.5.3 d) Implement and operate the SMS (Do)

The service provider shall implement and operate the SMS, through activities including at least … identification, assessment and management of risks to the services.

4.5.4.3 c) Management review

The input to management reviews shall include at least information on … risks

4.5.5.2 c) Management of improvements

Setting targets for improvements in … risk reduction

6.6.2 d) Information security controls

The service provider shall implement and operate physical, administrative and technical information security controls in order to … manage risks related to information security.

11/5/2015 www.inoserv.pt 5

Risks in ISO/IEC 20000-1 Clause Description

6.6.3 a) Information security changes and incidents

Requests for change shall be assessed to identify … new or changed information security risks;

9.1 Configuration management

The degree of control shall maintain the integrity of services and service components taking into consideration the service requirements and the risks associated with the CIs.

9.2 Change management

Decision-making shall take into consideration the risks, the potential impacts to services and the customer, ….

11/5/2015 www.inoserv.pt 6

Context of organization

1. Understanding the organization and its context. The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its service management system (SMS).

2. Understanding the needs and expectations of interested parties The organization shall determine:

a) interested parties that are relevant to the service management system; and

b) the requirements of these interested parties relevant to service continuity and availability and information security.

11/5/2015 www.inoserv.pt 7

Actions to address risks and opportunities

When planning for the SMS, the organization shall consider the issues referred to in 1 and the requirements referred to in 2 and determine the risks and opportunities that need to be addressed to:

a) ensure the service management system can achieve its intended outcome(s);

b) prevent, or reduce, undesired effects; and c) achieve continual improvement.

The organization shall plan:

d) actions to address these risks and opportunities; and e) how to 1) integrate and implement these actions into its service management system

processes; and 2) evaluate the effectiveness of these actions.

11/5/2015 www.inoserv.pt 8

Service risk assessment The organization shall define and apply an service risk assessment process that:

a) establishes and maintains service risk criteria that include:

1. the risk acceptance criteria; and

2. criteria for performing service risk assessments;

b) ensures that repeated service risk assessments produce consistent, valid and comparable results;

c) identifies the service risks:

1) apply the service risk assessment process to identify risks associated with the loss of service continuity and availability and loss of confidentiality, integrity and availability for information within the scope of the SMS; and

2) identify the risk owners;

d) analyses the service risks

e) evaluates the service risks

f) perform service risk assessments at planned intervals or when significant changes are proposed or occur,

g) Retain documented information of the results of the service risk assessments.

11/5/2015 www.inoserv.pt 9

Service risk treatment The organization shall define and apply an service risk treatment process to:

a) select appropriate service risk treatment options, taking account of the risk assessment results;

b) determine all controls that are necessary to implement the service risk treatment option(s) chosen;

c) design controls as required, or identify them from any source

d) implement the service risk treatment plan

e) retain documented information of the results of the service risk treatment.

11/5/2015 www.inoserv.pt 10

Risk Management Process ISO 31000

11/5/2015 www.inoserv.pt 11

Service Risk Management Process

• Objectives

– Risks to the services and risks to new or changed services are

identified, assessed and managed;

– Risks to information security are managed and have defined criteria

for accepting risks:

– Risks of service continuity and availability are identified, assessed and

managed;

– Service risk management process are continually audited, measured,

reviewed and improved in order to minimize the risks to the services.

11/5/2015 www.inoserv.pt 12

Service Risk Management Process

• Scope – SMS;

– Information security;

– Service continuity and availability.

– Services and services components

– CI’s

– Request for changes

11/5/2015 www.inoserv.pt 13

Risk assessment

Understanding the organization

Analyzing the existing system

Service policy Risk assessment

approach

Risk assessment methodology

Risk identification Risk analysis Risk evaluation

Risk treatment Risk acceptance Implement de

SMS

List of activities included in PECB IMS2 methodology

11/5/2015 www.inoserv.pt 14

Risk Identification

• Identification of services and services components;

• Identification of CI’s related with services components;

• Identification of information assets and supporting assets;

• Identification of threats, vulnerabilities and opportunities;

• Identification of existing controls;

• Identification of impacts/consequences;

11/5/2015 www.inoserv.pt 15

Risk analysis and evaluation

• Assessment of consequences;

• Assessment of incident likelihood;

• Level of risk determination;

• Risk evaluation;

• Risk treatment options and plan acceptance;

• Manage residual risk.

11/5/2015 www.inoserv.pt 16

Service Risk Management Process

Service Risk Assessment

Change Management

Configuration Management Review

Management

Understanding the Organization

Service Risk Improvement

Service Incident Management

Continuity & Availability

Management

Design & Transition Service

Management

11/5/2015 www.inoserv.pt 17

Conclusions

• ISO/IEC 20000 will adopt risk-based thinking, as ISO 9001 and ISO 27001;

• Service risk management process shall be aligned and interrelated with SMS;

• The best approach to service risk management is ISO 31000 with the scope of the risks to services and to information security.

11/5/2015 www.inoserv.pt 18

Contacts

• Mário Lavado;

• (+ 351) 962 160 934;

• mario.lavado@inoserv.pt.

11/5/2015 www.inoserv.pt 19