Thursday, 25 November 2010

Summery of: A REFERENCE MODEL FOR PROCESS-ORIENTED IT RISK MANAGEMENT


Title: A REFERENCE MODEL FOR PROCESS-ORIENTED IT RISK MANAGEMENT
Authors: Stefan Sackmann.
Published: 2008

This paper focuses on threats generated from IT and their influence on BPM, and relevance of IT risks resulting from flexible business processes and the integration of cause-effect relations into the typical risk management process and necessary extensions.

It starts with trying to define “IT Risks”; and settled on that “IT risks should be seen as part of operational risks measuring the unexpected losses that are determined by the frequency and amount of losses e.g. by their value at risk”. Then it shows the importance on IT in today’s organizations, and explains how that Traditional methods for risk management are challenged by the increasing flexibility of business processes and their support by IT.

“The management of risks occurring from IT in its role as flexible and continuously changing infrastructure supporting business processes requires an extension of “traditional” risk management that enables continuously changing cause-effect relations to be taken into consideration. For this purpose, the layer-based IT Risk Reference Model is proposed providing a formal approach for modeling IT risks in a structured way on the basis of their relation between cause and effect.”

Then in Section 3 it went in to establishing the “IT Risk Reference Model”; Modeling the relations between the causes of IT risks and their effects on business processes:

Layer 4: Business Process (BP): On this layer, parts of the business process should be regarded as independent components that are defined as enclosed activities using at least one IT application for their realization.
Layer 3: IT Application / IT Infrastructure (AP): The assignment of protection goals to IT applications allows the bringing together of the economic handling of IT risks with the more technological.
Layer 2: Vulnerabilities (VN): the vulnerabilities identified are interpreted as independent “components” that can be associated to at least one IT application.
Layer 1: Threats (TH): This layer includes all known threats that are seen as causes of IT risks and, ideally, can be described with a probability of their occurrence.

Within these four layers, the relations between the causes and effects can be modeled addressing the needs of process-oriented IT risk management. Witch is done in the 4th section; “MODELING CAUSE & EFFECT RELATIONS FOR IT RISKS”.

Then in the 5th section the paper discussed some extensions, such as risk identification, risk quantification, risk treatment, and risk control.

This paper showed that the relations between the threats to IT (causes) and their implications on the business process activities (effects) have to be modeled in a standardized and formal way. The IT Risk Reference Model proposed in this contribution reduces the complexity of the modeling challenge by defining four layers. It also established the IT Risk Reference Model, which serves as a framework modeling the interdependent layers in the form of matrixes and allows a formal description of the interdependencies between the separated layers according to a company’s requirements.

No comments:

Post a Comment