Wednesday, April 15, 2009
IT Risk management software (my Adventures into Risk management software)
Risk Management Softwares (part 2)
Commercial Solutions has already aggregated Risk Management into a GRC software (Governance,Risk & Compliance) like Agiliance RiskVisionTM, Symantec's Control Compliance Suite, SAP's GRC solutions, CA's Clarity, Oracle's GRC Manager, BWise 4.0, MEGA's GRC Suite, etc.
But for me, I've been tasked to provide our IT group a cost-effective, easy-to-use, standards-based Risk Management software 'Specifically' for IT Projects.
Cost-effective
By Cost-effective it means "NOT a huge investment and free would be nice" kinda thing.
Easy-to-use/implement
Any enterprise or any assessment software gotta have some learning curve or some level of
initial expertise or domain experice. So we're trying to avoid that.
Standards based
well,... at least based on risk management standards. (A very good reason!) So everyone will not just blindly follow it.
The ISMS standard to follow is the ISO 27005 - ISMS Risk Management, which was released late 2008. It's a part of the new ISO 27000 standard set....
• ISO 27000 – Fundamentals and vocabulary (late 2008)
• ISO 27001 – ISMS requirements–Certification Process (based on ISO 27002)
• ISO 27002 – Code of Practice on IS Management
• ISO 27003 – ISMS Implementation Guidance (2009)
• ISO 27004 – ISMS Metrics and measurement (late 2008)
• ISO 27005 – ISMS Risk Management (late 2008)
• ISO 27006 – Guidelines on ISMS accreditation (certification bodies)
• ISO 27007 – Guidelines on ISMS Auditing (2009)
The basic flow of the 27005 Risk management process includes:
• ESTABLISH CONTEXT
• RISK ASSESSMENT
• Risk Analysis
- Risk Identification
- Risk Estimation
• Risk Evaluation
• RISK TREATMENT
• RISK ACCEPTANCE
(Note that Risk Identification & Estimation is just a part under Risk Analysis.)
Now, when you think about it, all these requirements are the recipe for an objective Risk Management system that can be quickly implementation and/or integrated on any size IT project (in techy terms -- small, flexible, free or almost free application).
The first thing that would come to mind would be OpenSource!!! (c'mon, it was in your mind the first time you read "free"....i mean "cost-effective", right?) aside from cost, successful opensource projects generally adheres to open standards. Then its just a matter of finding the right one that is easy to understand, teach & implement.
Comments:
<< Home
Did you happen to spend any time evaluating www.evantix.com. I've seen some demonstrations and they are doing some really intrest work with shared IT risk assessments. Seems like a better model than just repeating the same assessment over and over... Was interested to hear your thoughts.
Post a Comment
<< Home