Upload
m-lavado
View
148
Download
4
Embed Size (px)
Citation preview
Risk Management in IT Services
INOSERV
Mário Lavado
www.inoserv.pt
Definitions ISO 20000 IT Service Risk
• 3.2.5 Risk Effect of uncertainty on objectives [ISO 31000]
• 3.2.6 Service Means of delivering value for the customers by facilitating results the customers wants to achieve
• 3.2.8 Service continuity Capability to manage risks and events that could have serious impact on a service or services in order to continually deliver services at agreed levels.
11/5/2015 www.inoserv.pt 2
Risk-based thinking
• Risk-based thinking ensures risk is considered from the beginning and throughout
• Risk-based thinking makes preventive action part of strategic and operational planning
• The concept of risk has always been implicit in ISO/IEC 20000
11/5/2015 www.inoserv.pt 3
Service Management System ISO/IEC 20000
11/5/2015 www.inoserv.pt 4
Risks in ISO/IEC 20000-1 Clause Description
4.1.1 g) Management responsibility
Top management shall provide evidence of its commitment … by ensuring that risks to services are assessed and managed.
4.5.2 j) Plan the SMS (Plan) The service management plan shall contain or include a reference to at least …. approach to be taken for the management of risks and the criteria for accepting risks;
4.5.3 d) Implement and operate the SMS (Do)
The service provider shall implement and operate the SMS, through activities including at least … identification, assessment and management of risks to the services.
4.5.4.3 c) Management review
The input to management reviews shall include at least information on … risks
4.5.5.2 c) Management of improvements
Setting targets for improvements in … risk reduction
6.6.2 d) Information security controls
The service provider shall implement and operate physical, administrative and technical information security controls in order to … manage risks related to information security.
11/5/2015 www.inoserv.pt 5
Risks in ISO/IEC 20000-1 Clause Description
6.6.3 a) Information security changes and incidents
Requests for change shall be assessed to identify … new or changed information security risks;
9.1 Configuration management
The degree of control shall maintain the integrity of services and service components taking into consideration the service requirements and the risks associated with the CIs.
9.2 Change management
Decision-making shall take into consideration the risks, the potential impacts to services and the customer, ….
11/5/2015 www.inoserv.pt 6
Context of organization
1. Understanding the organization and its context. The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its service management system (SMS).
2. Understanding the needs and expectations of interested parties The organization shall determine:
a) interested parties that are relevant to the service management system; and
b) the requirements of these interested parties relevant to service continuity and availability and information security.
11/5/2015 www.inoserv.pt 7
Actions to address risks and opportunities
When planning for the SMS, the organization shall consider the issues referred to in 1 and the requirements referred to in 2 and determine the risks and opportunities that need to be addressed to:
a) ensure the service management system can achieve its intended outcome(s);
b) prevent, or reduce, undesired effects; and c) achieve continual improvement.
The organization shall plan:
d) actions to address these risks and opportunities; and e) how to 1) integrate and implement these actions into its service management system
processes; and 2) evaluate the effectiveness of these actions.
11/5/2015 www.inoserv.pt 8
Service risk assessment The organization shall define and apply an service risk assessment process that:
a) establishes and maintains service risk criteria that include:
1. the risk acceptance criteria; and
2. criteria for performing service risk assessments;
b) ensures that repeated service risk assessments produce consistent, valid and comparable results;
c) identifies the service risks:
1) apply the service risk assessment process to identify risks associated with the loss of service continuity and availability and loss of confidentiality, integrity and availability for information within the scope of the SMS; and
2) identify the risk owners;
d) analyses the service risks
e) evaluates the service risks
f) perform service risk assessments at planned intervals or when significant changes are proposed or occur,
g) Retain documented information of the results of the service risk assessments.
11/5/2015 www.inoserv.pt 9
Service risk treatment The organization shall define and apply an service risk treatment process to:
a) select appropriate service risk treatment options, taking account of the risk assessment results;
b) determine all controls that are necessary to implement the service risk treatment option(s) chosen;
c) design controls as required, or identify them from any source
d) implement the service risk treatment plan
e) retain documented information of the results of the service risk treatment.
11/5/2015 www.inoserv.pt 10
Risk Management Process ISO 31000
11/5/2015 www.inoserv.pt 11
Service Risk Management Process
• Objectives
– Risks to the services and risks to new or changed services are
identified, assessed and managed;
– Risks to information security are managed and have defined criteria
for accepting risks:
– Risks of service continuity and availability are identified, assessed and
managed;
– Service risk management process are continually audited, measured,
reviewed and improved in order to minimize the risks to the services.
11/5/2015 www.inoserv.pt 12
Service Risk Management Process
• Scope – SMS;
– Information security;
– Service continuity and availability.
– Services and services components
– CI’s
– Request for changes
11/5/2015 www.inoserv.pt 13
Risk assessment
Understanding the organization
Analyzing the existing system
Service policy Risk assessment
approach
Risk assessment methodology
Risk identification Risk analysis Risk evaluation
Risk treatment Risk acceptance Implement de
SMS
List of activities included in PECB IMS2 methodology
11/5/2015 www.inoserv.pt 14
Risk Identification
• Identification of services and services components;
• Identification of CI’s related with services components;
• Identification of information assets and supporting assets;
• Identification of threats, vulnerabilities and opportunities;
• Identification of existing controls;
• Identification of impacts/consequences;
11/5/2015 www.inoserv.pt 15
Risk analysis and evaluation
• Assessment of consequences;
• Assessment of incident likelihood;
• Level of risk determination;
• Risk evaluation;
• Risk treatment options and plan acceptance;
• Manage residual risk.
11/5/2015 www.inoserv.pt 16
Service Risk Management Process
Service Risk Assessment
Change Management
Configuration Management Review
Management
Understanding the Organization
Service Risk Improvement
Service Incident Management
Continuity & Availability
Management
Design & Transition Service
Management
11/5/2015 www.inoserv.pt 17
Conclusions
• ISO/IEC 20000 will adopt risk-based thinking, as ISO 9001 and ISO 27001;
• Service risk management process shall be aligned and interrelated with SMS;
• The best approach to service risk management is ISO 31000 with the scope of the risks to services and to information security.
11/5/2015 www.inoserv.pt 18