Service Design – Section 4.5 Service Continuity Management

We are all familiar with typical risk management processes. The fundamental notion is that we identify risks, risks, we assess their probability of occurrence, occurrence, and we assess the consequence of occurrence. Then we put a risk management plan in place that is designed to eliminate, or alleviate the impact of, the serious risk events. Every risk is necessarily a future event, and only when the risk event actually happens is the risk transformed into a problem. The better we are at identifying risks and understanding the underlying basis of our risks, the better we can manage the risks. James Dobbins, Critical Success Factor (CSF) Analysis for DoD Risk Management CSF—More Than Making a List

Service Design – Section 4.5 Service Continuity Management Risk Analysis provides basic input for continuity and recovery strategies, plans and responses. Risk is a function of the likelihood of a given threat- source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.

Service Design – Section 4.5 Service Continuity Management A family of standards relating to risk management codified by the International Organization for Standardization that provides generic guidelines for the design, implementation and maintenance of risk management processes throughout an organization.

Service Design – Section 4.5 Service Continuity Management

5.2 Communications 5.3 Context Setting 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis Identification 5.4 Risk Assessment Risk Profile

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis Identification 5.4 Risk Assessment Risk Management Policy Process Guide Plans Risk Registers Issue Logs. Risk Profile

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis Identification 5.4 Risk Assessment Risk Profile

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis Identification 5.4 Risk Assessment the overall management framework governance and accountability structures values and ethics operational work environment current risk tolerances of stakeholders individual and corporate risk management culture and tolerances existing risk management expertise and practices human resources capacity level of transparency required local and corporate policies, procedures and processes. Risk Profile

Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis Identification 5.4 Risk Assessment Embue culture in which everybody is a risk manager Place responsibility for driving risk management high in the organization Open communication is necessary for risk management to succeed Use teams to manage risks Communicate risk management performance. Risk Profile 5.2 Communications

Service Design – Section 4.5 Service Continuity Management 5.2 Communications Risk Profile 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis Identification 5.4 Risk Assessment 5.3 Context Setting Identification of risk in a selected domain of interest Planning the remainder of the process Mapping out the social scope of risk management, the identity and objectives of stakeholders and the basis upon which risks and constraints will be evaluated Defining a framework for the activity and an agenda for identification Developing an analysis of risks involved in the process Mitigation or Solution of risks using available technological, human and organizational resources.

5.3 Context Setting Service Design – Section 4.5 Service Continuity Management 5.2 Communications Risk Profile 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis Identification 5.4 Risk Assessment

5.3 Context Setting Service Design – Section 4.5 Service Continuity Management 5.2 Communications Risk Profile 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis Identification 5.4 Risk Assessment Scope Scope of Risk Nature Nature of Risk Stakeholders Stakeholders Risk Risk Appetite Treatment & Control Mechanisms Potential Potential Action for Improvement Strategy Strategy and Policy Developments

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis Identification 5.4 Risk Assessment Risk Profile Risks must be assessed as to their potential severity of loss and to the probability of occurrence occurrence.

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile Risks are about events events that, when triggered, cause problems. Hence, risk identification can start with the source source of problems, or with the problem problem itself Identification Source Analysis: Risk sources may be internal or external to the system that is the target of risk management. Problem Analysis: Risks are related to identified threats.

Service Design – Section 4.5 Service Continuity Management Objectives-based Objectives-based Scenario-based Scenario-based Taxonomy-based Taxonomy-based Risk Risk Lists charting

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile A combination of the impact of loss rating and the vulnerability rating can be used to evaluate the potential risk to the facility from a given threat Identification

Service Design – Section 4.5 Service Continuity Management x = The impact of the risk event is assessed using a measure (eg., (eg., 0 to 5, where 0 and 5 represent the minimum and maximum possible impact of an occurrence of a risk (usually in terms of financial losses)) The probability of occurrence is also assessed using a scale (eg., 0 to 5, where 0 represents a zero probability of the risk event actually occurring while 5 represents a 100% probability of occurrence (ie., certainty)). Impact of Risk event Probability of Occurrence Composite Risk Index

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring 5.5 Risk Treatment Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile Identification Controls that could mitigate or eliminate the identified risks, as appropriate to the organization’s operations, are identified. The goal of the recommended Controls Controls is to reduce the level of risk to the IT system and its data to an acceptable level. Factors to be considered: Effectiveness of recommended options (e.g., system compatibility) Effectiveness of recommended options (e.g., system compatibility) Legislation and regulation Legislation and regulation Organizational policy Organizational policy Operational impact Operational impact Safety and reliability. Safety and reliability.

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile Prioritization and implementation of the appropriate risk-reducing controls recommended from the Risk Assessment process Identification 5.5 Risk Treatment

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile Identification 5.5 Risk Treatment Avoidance (eliminate, withdraw from or not become involved) Reduction (optimize - mitigate) Sharing (transfer - outsource or insure) Retention (accept and budget)

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile Identification 5.5 Risk Treatment

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile Identification 5.5 Risk Treatment

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile Identification 5.5 Risk Treatment Re-design Re-design business process with adequate built-in risk control and containment measures Periodically Periodically re-assess risks that are accepted in ongoing processes as a normal feature of business operations and modify mitigation measures Transfer Transfer the risk Avoid Avoid risks (e.g. by closing down a particular high-risk business area)

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting 5.6 Risk Monitoring Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile Identification 5.5 Risk Treatment Approval Approval by appropriate management level Propose applicable and effective security controls for managing the risks

5.2 Communications Service Design – Section 4.5 Service Continuity Management 5.3 Context Setting Evaluation Risk Analysis 5.4 Risk Assessment Risk Profile Identification 5.5 Risk Treatment Practice, experience, and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced: to to evaluate whether selected controls are still applicable and effective, and evaluate the possible risk level changes in the business environment. 5.6 Risk Monitoring

Service Design – Section 4.5 Service Continuity Management Risk Assessment is a CobIT Control Object (PO09): “IT risk identification and impact analysis, involving multi-disciplinary functions and taking cost-effective measures to mitigate risks.” with the following objectives: Business Risk Assessment - Risk assessment framework, risk assessment at a number of levels, reassessments and information updatesBusiness Risk Assessment - Risk assessment framework, risk assessment at a number of levels, reassessments and information updates Risk Assessment Approach - establish a general risk assessment approach which defines the scope and boundaries, the methodology to be adopted for risk assessments, the responsibilities and the required skillsRisk Assessment Approach - establish a general risk assessment approach which defines the scope and boundaries, the methodology to be adopted for risk assessments, the responsibilities and the required skills Risk Identification - Cause/effect relationships, qualitative and quantitative risk ranking, risk classificationRisk Identification - Cause/effect relationships, qualitative and quantitative risk ranking, risk classification Risk Measurement - Measurement of risk exposure, assessment of risk acceptance capacityRisk Measurement - Measurement of risk exposure, assessment of risk acceptance capacity Risk Action Plan - Cost-effective controls and security measures, risk strategies in terms of avoidance, mitigation or acceptanceRisk Action Plan - Cost-effective controls and security measures, risk strategies in terms of avoidance, mitigation or acceptance Risk Acceptance - Formal acceptance of residual risk, offset by insurance, contractual liabilitiesRisk Acceptance - Formal acceptance of residual risk, offset by insurance, contractual liabilities Safeguard Selection - Control system to balance prevention, detection, correction and recovery measuresSafeguard Selection - Control system to balance prevention, detection, correction and recovery measures Risk Assessment Commitment - Important tool in design and implementation as well as monitoring and evaluation mechanismsRisk Assessment Commitment - Important tool in design and implementation as well as monitoring and evaluation mechanisms

Service Design – Section 4.5 Service Continuity Management Organizations may undertake risk assessment at one of six maturity levels: Little awareness of external requirements that affect IT, with no process regarding compliance with regulatory, legal and contractual requirements requirements. 0 (Non-existent) 1 (Ad Hoc) Risk assessment for processes and business decisions does not occur. The organization does not consider the business impacts associated with security vulnerabilities and with development project uncertainties. 2 (Repeatable) Organization is aware of its legal and contractual responsibilities and liabilities, but considers IT risks in an ad hoc manner, without following defined processes or policies.

Service Design – Section 4.5 Service Continuity Management Organizations may undertake risk assessment at one of six maturity levels: Little awareness of external requirements that affect IT, with no process regarding compliance with regulatory, legal and contractual requirements Little awareness of external requirements that affect IT, with no process regarding compliance with regulatory, legal and contractual requirements. 0 (Non-existent) 1 (Ad Hoc) Risk assessment for processes and business decisions does not occur. The organization does not consider the business impacts associated with security vulnerabilities and with development project uncertainties. 2 (Repeatable) Organization is aware of its legal and contractual responsibilities and liabilities, but considers IT risks in an ad hoc manner, without following defined processes or policies. 3 (Defined) An organization-wide risk management policy defines when and how to conduct risk assessments. Risk assessment follows a defined process that is documented and available to all staff through training. 4 (Managed & Measured) The assessment of risk is a standard procedure and exceptions to following the procedure would be noticed by IT management. It is likely that IT risk management is a defined management function with senior level responsibility. The process is advanced and risk is assessed at the individual project level and also regularly with regard to the overall IT operation. 5 (Optimized) Risk assessment has developed to the stage where a structured, organization-wide process is enforced, followed regularly and well managed. Risk brainstorming and root cause analysis, involving expert individuals, are applied across the entire organization.

Service Design – Section 4.5 Service Continuity Management