Logo en.artbmxmagazine.com

Risk management in computer technology

Anonim

It is important in every organization to have a tool that guarantees the correct evaluation of risks, to which the processes and activities that participate in the computer area are subject; and through control procedures, the performance of the computing environment can be evaluated.

Seeing the need in the business environment for this type of tools and taking into account that one of the main causes of problems within the computing environment is the inadequate management of computer risks, this work serves as support for proper management of the risk management, based on the following aspects:

  • The evaluation of the risks inherent in the computer processes. The evaluation of the threats or causes of the risks. The controls used to minimize threats to risks. The assignment of those responsible for the computer processes. The evaluation of the elements of the risk analysis..
sisrisinfo

PART I - RISK MANAGEMENT

  1. THE PROBLEM - RISK MANAGEMENT

Risk is a real-world condition in which there is an exposure to adversity, made up of a combination of environmental circumstances, where there is the possibility of loss.

1.1. RISK CLASSIFICATION

Businesses can fail or suffer losses as a result of a variety of causes. The differences in these causes and their effects form the basis for differentiating the risks, which can be classified as follows:

  • FINANCIAL RISKS: Financial risk involves the relationship between an organization and an advantage that can be lost or damaged. In this way, financial risk involves 3 elements:
  1. The organization that is exposed to losses The elements that make up the causes of financial losses A danger that can cause the loss (threat to risk).
  • DYNAMIC RISKS: They are the result of changes in the economy that arise from two sets of factors:
  1. External environment factors; the economy, industry, competitors and customers. Other factors that can produce the losses that are the basis of speculative risk are the decisions of the organization's management.
  • STATIC RISKS: These risks arise from causes other than changes in the economy such as: dishonesty or human failure. SPECULATIVE RISK: Describes a situation that expects a possibility of loss or profit. A good example is a risky or random situation. PURE RISK: Designates those situations that only generate either loss or profit, an example is the possibility of loss in the purchase of a good (cars, houses, etc.). Pure risks can be classified as follows: Personal Risk: Consists of the possibility of loss subject to the following dangers: premature death, disease and disability Possession risks: They cover 2 different types of loss which are: direct losses due to destruction of goods,and indirect losses caused by the consequences of direct losses or additional expenses. Liability Risks: Your basic hazard is injury to other people or damage to property due to negligence or carelessness. Physical Risks: These are for example: Excessive noise, Inadequate lighting, exposure to radiation, inadequate electrical installations. Chemical risks: This class includes, for example: Exposure to solvent vapors, combustion smoke and gases. Biological risks: Fungi and bacteria. Psychosocial risks: Unfair economic income, monotony, lack of incentives and motivation. Ergonomic risks: Uncomfortable workplace, Forced body position, repetitive movement when operating machines, overcrowding FUNDAMENTAL RISK:It involves losses that are impersonal in origin and consequence. Most of them are caused by economic, social phenomena. They affect part of an organization. PARTICULAR RISK: They are losses that arise from individual events before they arise from an entire group. Unemployment, war, inflation, earthquakes are all fundamental risks; the fire of a house and the robbery of a bank are particular risks.

1.2. BUSINESS RISKS RELATED TO COMPUTERS

The main computer risks of the businesses are as follows:

  • Integrity Risks:This type covers all risks associated with authorization, completeness and accuracy of the input, processing and reporting of applications used in an organization. These risks apply to every aspect of a business processing support system and are present in multiple places, and at multiple times in all parts of the applications; notwithstanding these risks are manifested in the following components of a system: User interface: The risks in this area are generally related to the restrictions, on the individualities of an organization and its authorization to execute business / system functions; taking into account their work needs and a reasonable segregation of obligations.Other risks in this area are related to controls that ensure the validity and completeness of the information entered into a system. Processing: Risks in this area are generally related to the proper balance of detective and preventive controls that ensure that information processing has been completed. This risk area also covers the risks associated with the accuracy and completeness of the reports used to summarize results and make business decisions. Error Processing: Risks in this area are generally related to methods that ensure that any input / process error information (Exceptions) are properly captured, corrected and accurately reprocessed completely. Interface:Risks in this area are generally related to preventive and detective controls that ensure that the information has been properly processed and transmitted by applications. Change management: Risks in this area can generally be considered as part of the risk infrastructure and the impact of application changes. These risks are associated with inadequate management of organizational change processes including: Commitments and training of users to process changes, and how to communicate and implement them. Information: Risks in this area can generally be considered as part of the application infrastructure. These risks are associated with the inadequate administration of controls,including the integrity of the security of the processed information and the effective administration of the database systems and data structures. Integrity can be lost due to: Programming errors (good information is processed by poorly constructed programs), error processing (incorrectly processed transactions), or error management and processing (poor system maintenance management).Relationship risks : Relationship risks refer to the timely use of information created by an application. These risks are directly related to decision-making information (correct information and data from a correct person / process / system at the right time allow correct decisions to be made). Access risks:These risks focus on inappropriate access to systems, data and information. These risks include: The risks of inappropriate job segregation, the risks associated with the integrity of information from database systems, and the risks associated with the confidentiality of information. Access risks can occur at the following levels of the information security structure: Business processes: Organizational decisions must separate incompatible work from the organization and provide the correct level of function execution. Application: The internal application of security mechanisms that provides users with the necessary functions to carry out their work. Information management: The mechanism provides users with access to environment-specific information.Processing environment: These risks in this area are managed by inappropriate access to the environment of programs and information. Networks: In this area refers to inappropriate access to the network environment and its processing. Physical level: Physical protection of devices and appropriate access to them.Usefulness Risks: These risks focus on three different levels of risk: Risks can be faced by addressing systems before problems occur Recovery / restoration techniques used to minimize system breakdown Backups and plans contingency control disasters in information processing. Infrastructure risks:These risks refer to the fact that in organizations there is no effective technological information structure (hardware, software, networks, people and processes) to adequately support the future and present needs of businesses at an efficient cost. These risks are associated with the technological information processes that define, develop, maintain and operate an information processing environment and the associated applications (customer service, bill payment, etc.). These risks are generally considered in the context of the following IT processes: Organizational planning: The processes in this area ensure the definition of the impact, definition and verification of IT in the business. Also,Check if there is an adequate organization (people and processes) ensures that the efforts of computer technology will be successful. Defining applications: The processes in this area ensure that applications meet user needs and support the context of business processes. These processes include: the determination to buy an existing application or develop customer solutions. These processes also ensure that any changes to applications (purchased or developed) follow a defined process that confirms that critical process / control points are consistent (All changes are reviewed by users prior to deployment). Security administration: The processes in this area ensure that the organization is adequately directed to establish,Maintain and monitor an internal security system, which has administration policies regarding the integrity and confidentiality of the organization's information, and the reduction of fraud to acceptable levels. Network and computational operations: Processes in this area ensure that information systems and network environments are operated in a safe and secure scheme, and that information processing responsibilities are performed by defined, measured and monitored operational personnel. They also ensure that the systems are consistent and available to users at a satisfactory performance level. Database systems administration:The processes in this area are designed to ensure that the databases used to support critical applications and reports have definition consistency, match requirements and reduce the potential for redundancy. Information / Business: The processes in this area are designed to ensure that an adequate plan exists to ensure that information technology will be available to users when they need it.General Safety Risks: The IEC 950 standards provide design requirements to achieve general safety and to decrease risk: Electrical Shock Risks: High voltage levels. Fire Hazards: Flammability of materials. Risks of inadequate levels of electrical energy. Radiation risks: noise, laser and ultrasonic waves. Mechanical risks: Instability of electrical parts.

1.3. PROCEDURE TECHNIQUES FOR MANAGING RISKS

  • AVOID RISKS: A risk is avoided when it is not accepted in the organization. This technique can be more negative than positive. If risk avoidance were used excessively, the business would be deprived of many opportunities for profit (for example: risk making an investment) and would probably not achieve its objectives. RISK REDUCTION: The risks can be reduced, for example with: security programs, security guards, alarms and estimation of future losses with the advice of experts. CONSERVATION OF RISKS: It is perhaps the most common of the methods to face risks, since many times a positive action is not to transfer it or reduce its action. Each organization must decide which risks are retained, or transferred based on their contingency margin,A loss can be a financial disaster for an organization being easily sustained by another organization. SHARING RISKS: When risks are shared, the possibility of loss is transferred from the individual to the group.
  1. SOLUTIONS IN RISK MANAGEMENT

2.1. DEFINITION OF RISK MANAGEMENT

Risk management is a scientific approach to risk behavior, anticipating possible accidental losses with the design and implementation of procedures that minimize the occurrence of losses or the financial impact of losses that may occur.

2.2. RISK ADMINISTRATION TOOLS

The main techniques or tools used in risk management are:

  • Risk Control: Technique designed to minimize the possible costs caused by the risks to which the organization is exposed, this technique includes the rejection of any exposure to loss of a particular activity and the reduction of the potential of possible losses.
  • Risk Financing: It focuses on guaranteeing the ability to know financial resources and the losses that may occur in them. Irrigation is often transferred or withheld. When they are retained they are accompanied by a specific allocation of the budget and can include the accumulation of a financial resource to know its deviations. When transferred they cover contractual arrangements and outsourcing of certain activities.

2.3 RISK ADMINISTRATION PROCESS

The process consists of the following steps:

  • Determine the Objectives: The first step in risk management is to decide precisely on the risk management program. To get the maximum benefit from the expenses associated with risk management, a plan is necessary. Otherwise, it is to see the risk management process as a series of isolated problems rather than a simple problem, and there are no guidelines to provide logical consistency in the organization's processes.

The main objective of risk management, as the first law of nature, is to guarantee the survival of the organization, minimizing the costs associated with risks. Many of the shortcomings in risk management lie in the absence of clear objectives.

The objectives of risk management are formalized in a “corporate risk management policy”, which describes the policies and measures taken to achieve it.

Ideally, risk management objectives and policies should be the product of the decisions of the company's Board of Directors.

  • Identification of Risks: It is difficult to generalize about the risks of an organization because the conditions and operations are different, but there are ways to identify them, among which are:
  • Risk identification tools: The most important tools used in risk identification include: internal records of the organization, checklists for insurance policies, risk analysis questionnaires, process flows, financial analysis, operations inspection and interviews.
  • Combination approach: The preferred approach in risk identification consists of a combination approach, in which all risk identification tools are made to tolerate problems. In a nutshell each tool can solve a part of the problem and combined they can be a considerable help to the risk manager. Risks can arise from many sources, which is why the risk manager needs a quick search information system, designed to provide the flow of information about changes in operations and changes in relationships with external entities. Risks evaluation:Once the risks have been identified, the risk manager should evaluate them. This involves measuring the potential for loss and the probability of loss by categorizing the order of priorities. A set of criteria can be used to establish a priority, focused on the potential financial impact of losses, for example: Critical risks: All exposures to loss in which the magnitude reaches bankruptcy. Important risks: They are exposures to losses that They do not go bankrupt, but require action by the organization to continue operations. Unimportant risks: Exposures to losses that do not cause a large financial impact. Consideration of alternatives and selection of risk treatment mechanisms:The next step is to consider techniques that can be used to deal with risks. These techniques include: avoiding risks, retention, transparency and reduction. Some of the organization's risk management policies establish the criteria to be applied in the choice of techniques, outlining the rules with which the risk manager can operate. Decision Implementation, Evaluation and Reviews: This step must be included for 2 reasons. First, the risk management process is not the ultimate panacea, things can change, new risks emerge and old risks disappear, the risk management program allows the risk manager to review decisions and discover errors.

2.4 RESPONSIBILITIES OF THE RISK ADMINISTRATOR

  1. Develop risk management policies: The risk manager assists the organization in identifying objectives and preparing policies with senior management. Identify risks: This is considerably the most difficult function of risk management. This process requires a large information system that will alert the risk manager to new exposures to loss. Select financial alternatives: Based on the organization's financial structure, the risk manager recommends the path to take.
  1. Negotiating the scope of security: The risk manager must determine what assurance is necessary and must obtain the best combination of scope and cost.
  1. Oversee internal administration: This function includes loss statistics, irrigation administration manuals, renewal monitoring and schedule administration.
  1. Manage risk functions: This function includes: insurance monitoring and insurance contract supervision.
  1. Supervise loss prevention: Without being experts, they must have a global knowledge of the area exposed to loss.
  1. DECISIONS IN RISK MANAGEMENT

The main decisions to be made in risk management are:

  • Instinctive Reactions to Risk: The natural instinct for self-preservation, the instinctive reaction to danger, are control measures that can be classified as learned behavior. These become innate standards of behavior and represent personal rules for loss prevention. Good and bad decisions in risk management: One of the most complex issues in risk management decisions is to distinguish good decisions from bad, because risk management encompasses decisions made under conditions of uncertainty, sometimes being judged inappropriately. The evaluation must be made based on available and updated information.
  • Cost-Benefit Analysis: The cost-benefit analysis attempts to measure the contribution that risk management makes, verifying if its benefits exceed its cost; Currently the cost-benefit analysis can be used to judge any decision where the benefits are made over the estimated time. Although cost-benefit analysis is a good technique for making risk management decisions, the nature of risks creates impediments to their use, where costs are generally measured, benefits cannot be. Utility Theory: Theory of utility was originally introduced to explain the nature of the demand function, that is, the utility or satisfaction derived from the economic benefit does not increase proportionally with the increases in the good,Using this technique as a basis for decision-making, consistent, though sometimes inadequate, decisions emerge.
  • Decision Theory: Also called decision analysis, it can be used to determine optional strategies when a decision made is faced with some alternative decisions and an uncertain model of future events.

The analyst's first step in decision theory given a problem is to list all available decision alternatives; The second step is to list all the future events that could occur, these future events are called the "States of Nature" of the problem. Decision situations are divided into 3 types:

  1. Decision-making under certainty: one and only one "state of nature" exists, and the decision is made with certainty. Decision-making at risk: there is more than one "state of nature", and all available states are probable. of decisions under uncertainty: there is more than one "state of nature", but nothing is known about the probability or choice of occurrence of various states.

3.1 RISK ADMINISTRATION RULES

Risk management has been considered as a special functional area of ​​the organization, for which its principles and techniques have been formalized. The following rules were created within the field of risk management:

  • Do not risk more than possible: the most important factor in determining which risks require some specific action is the maximum potential for loss, some losses can be potentially devastating literally outside the scope of the organization, while others involve less financial consequences if the maximum potential The loss of a threat is great, the loss is unmanageable or the risk must be transferred.
  • Consider the differences: This rule suggests that the probability of loss may be an important factor in deciding what to do about a particular risk.
  • Do not risk much for little: This rule dictates that there may be a reasonable relationship between the cost of transferring risks and the value that accumulates between those who transfer them. This rule provides two directions: first the risks cannot be retained when the possible loss is relatively large to the benefits obtained through the retention. The second aspect is that in some instances the benefit that is required to insure a risk is not proportional to the risk transferred.
  1. EVALUATION AND REVIEW OF PROBLEMS IN RISK ADMINISTRATION

Assessment and review are important to the risk management process for two reasons:

  1. The first reason is that things change, solutions that were appropriate in the past emerge, and old risks disappear. Errors are constantly emerging and persistent review provides an opportunity to discover past errors.

4.1. EVALUATION AND GENERAL REVIEW

This phase corresponds to the administrative part of risk management control, the purpose of the control is to verify that the operations are in accordance with what was planned and requires:

  • Standards and objectives to be carried out. Measure the execution of operations with these standards and objectives. Take corrective actions when the results differ from what is desired.

4.2 AUDIT IN RISK ADMINISTRATION

The audit process includes the following steps:

  • Evaluate risk management objectives and policies: Evaluating a risk management program involves measuring programs with standards, and the objectives of the program represent the first logical standards. This assessment generally includes a review of the organization's finances and its ability to withstand losses.Identifying and evaluating risks after the objectives have been defined and evaluated, the next step is to identify the exposures to existing risks in the organization, this step consists of an analysis of operations to determine the different exposures to loss Evaluate the decisions related to loss, this step includes a review of the extent of the risks. Evaluate the risk management measures that have been implemented.This step evaluates past decisions, verifying that the decision was properly implemented. This step includes a review of control measures and financial losses. Recommend changes for the benefit of the audit program.

4.2.1. SCOPE OF THE AUDIT OF THE RISK ADMINISTRATION

The three main areas that can be audited are:

  • Risk management policies: This aspect is focused on the objectives of the program, the responsibility and authority of the risk manager and the consistency of the policies with the objectives. Risk control: the specialized nature of loss prevention and control for various types of risks makes it necessary to carry out specialized audits, which may include: Protection audit, Security audit, Environmental audit, Computer security audit, Loss of property control audit , Security function: This function can be conducted at 2 levels: the first is the evaluation of its role in the whole of the risk management program, the second is a more detailed review of the security program, which examines its scope, with a detailed analysis.
  1. OBJECTIVES OF RISK ADMINISTRATION

The following are the most common objectives:

  • Ensure the best management of resources Minimize the cost of business caused by risks Protect employees from harm Know the contractual and legal obligations Eliminate subsequent concerns

5.1. CLASSIFICATION OF OBJECTIVES

  • ECONOMIC:

The objective is to reduce the cost of business caused by risks to the lowest possible level.

  • REDUCE ANXIETY:

Refers to the reassurance gained from having measures used to manage adversity. When potential catastrophes are not managed, uncertainty can distract managers to make their corporate decisions correctly.

  • GET STABILITY:

The objective of stability is supported by the effect caused by large variations that may arise from third parties and how to contribute to reduce these variations.

  • CONTINUE DEVELOPMENT:

Maximizing profits is not always the dominant objective in an organization. Another corporate objective is the ability to continue growing.

  • SOCIAL RESPONSABILITY

It refers to the variety of social obligations that the organization has with its employees and with society in general; Sometimes conflicts arise with the objective of the economy.

5.2 RISK ADMINISTRATION POLICIES

A policy is a general guide to action, this is a standard plan of the organization that translates the objectives into more specific guides. In determining risk management policies for a particular organization, decisions are taken into account that can only be made by the organization's management. In the design of risk management policies, some factors are necessary to make decisions, which are:

  • The basic objectives of the risk management program: The main objective is to preserve the operational efficiency of the organization. This objective involves avoiding financial losses caused by disasters that impede the basic functions of the organization.
  • Retention program consolidation: When the risk management policy specifies a maximum level of retention (delineation of exposures or losses that will not be retained), there is a reasonable direction of consolidation of retained losses, allowing great flexibility in control decisions.
  1. RISK IDENTIFICATION

Before facing the risks, someone must identify them. This task is never ending, as new threats are constantly emerging.

Risk identification is continuous and depends on the communication network within the organization, generating a constant flow of information about the organization's activities.

6.1. RISK IDENTIFICATION METHODOLOGIES

Risk identification techniques have been developed simultaneously by professionals from different disciplines, each focused on their own specialty. These professionals include insurance professionals, security specialists, industrial engineers, accountants, and general engineers.

Risk identification techniques were generally developed as part of loss prevention and control efforts:

  • Identification based on past losses: Until recently, the primary risk identification methodology was the observation of losses that have occurred, as a rule the identification of risks is not performed until a loss occurs. Whenever a risk occurs, measures are taken that possibly prevent the occurrence of losses from the same source. Insurance companies played the largest role in the development of risk identification techniques and most of the methods they developed were based on analysis of past losses; insurers also developed checklists, which provide a basis on which risk identification can be built.

There is a process called "Underwriting" which consists of deciding the insurance for a particular exposure and the rat for which it will be insured. In this process, inspections are made to accumulate information about the risks; Based on these inspections, corrective measures can be taken, based on this experience, the science of risk identification has been shaped. Based on the analysis of past experiences, future losses can be predicted, because the losses vary due to the causes that surround them. Additionally, the historical loss record is also used in identifying the causes of past losses, which serves as a basis for preventing losses and control measures.

  • Security Systems Techniques: In the 1960s United States Military Scientific Engineers developed a hazard identification approach; historically risks have been identified from experience after a loss happened. The activities involved in the space and military program represented new frontiers, for which a new approach was necessary. The greatest contribution of the space and military program was the body of knowledge of loss prevention and control, was the introduction of security-oriented systems. The term "Security Systems" is generally used to describe a collection of mathematical and logical techniques that are continuously applied to the detection and correction of threats to risks of the conceptual state of the product,through its detailed design and operations.

This process includes a study of operational procedures, examining procedures, and senior management reviews. The systems with which the engineers were busy were complex, requiring a new vision of risk identification. To deal with this situation, scientists developed a variety of techniques that are known as "Security Systems" and that are part of the risk manager's arsenal. Some features distinguish the security systems approach from the traditional loss prevention methodology. The main feature is the emphasis on identifying possible causes of accidents before they occur.

6.2. RISK IDENTIFICATION TOOLS

The term "Risk Identification Tools" encompasses some standard forms and checklists that are designed to facilitate the risk identification process. As such, these tools are distinguished as documents that provide a picture of risks. The tools provide a guide to organize and interpret the information accumulated with risk identification techniques.

  • Risk analysis questionnaires: The key tool in risk identification are questionnaires, those questionnaires are designed to guide the risk manager to discover threats through a series of questions and in some instances, this instrument is designed to inculcate insurable risks and uninsurable. The risk analysis questionnaire is designed to serve as a repository for the accumulated information from documents, interviews and inspections. Its purpose is to guide the person trying to identify risk exposures through the identification process in a logical and consistent model.
  • Checklists of risk exposures: A second important aid in identifying risks and one of the most common tools in risk analysis are checklists, which are simply a list of risk exposures.
  • Security Policy Checklists: This tool includes a catalog of various security policies that a given business may need. The risk manager consults the policies collected and applied to the firm.
  • Expert systems: An expert system used in risk management incorporates the aspects of the tools described in a single tool. The integrated nature of the program allows the user to generate written purposes and prospects.

6.3. RISK IDENTIFICATION TECHNIQUES

The risk identification tools describe a structure that interprets the information derived from four risk identification techniques, which are:

  • GUIDANCE: The first step in identifying risks is to benefit through knowledge of the organization and its operations. The risk manager needs a general understanding of the advantages and functions of the organization.
  • DOCUMENT ANALYSIS: The history of the organization and its current operations are filed in a variety of records. These records represent a basic source of the information required by the risk analysis; the auditor should obtain internal documents that contain the activities and history of the organization. The main documents where relevant information is extracted are:
  1. Financial Analysis Report: Financial reports can be an important source of information for the risk management function; Balance sheets and profit and loss statements are basic sources of information about the organization.

Although financial reporting is only one facet of an organization's system record, it represents an important source of risk identification information. The organization's balance sheet, for example, reveals the existence of various types of assets, which guide the auditor to search for information on the possible losses to which the assets are exposed. Simultaneously, the balance can also indicate how much money or capital is available as a measure of loss retention capacity.

  1. Flowcharts: Analysis of operations flowcharts can alert the risk manager to unusual aspects of the firm's operations, a flow chart of the organization's internal operations - revealing the type and sequence of its activities - viewing the firm as a processing unit in search of discovering all the contingencies that may interrupt its processes. The most positive benefit of using flow charts is likely to force the risk manager to become familiar with the technical aspects of the organization's operations.
  1. Organizational Charts: An organizational chart reveals the divisions of the organization, reporting their relationships, organizational charts also provide the risk identifier with an understanding of the nature and scope of the organization's operations.
  1. Existing Policies: The auditor will need existing policies to assess the scope of the risk identification and the information collected.
  1. Loss reporting: Another important source of information that can assist in identifying risks is the organization's record of its own past losses; Examination of loss records will indicate the kinds of losses that have occurred, calculating the degree of risk of certain activities or operations.
  1. Interviews: Another important source of information that can help in identifying risks is interviews with key personnel with the organization; some information is not recorded in documents or records only existing in the minds of executives and employees. The following are some of the key people to interview: plant engineers, chief of staff, security administrators, employees, and supervisors.
  1. Inspections: It is the most used tool to obtain a good knowledge of operations. Inspection is one of the most important parts of the process of developing an overview because:
  • Helps familiarize the auditor with the organization Helps indicate potential protection rates Helps reveal potential losses

6.4. INFORMATION SYSTEMS IN RISK ADMINISTRATION

The risk manager needs a maintenance system with a wide range of information that affects the risks of the organization.

Most of the information required for risk management information systems exists largely in organizations in an unstructured form. Information becomes more useful when you have a risk management information system - RMIS

The purpose of RMIS is to support the risk analysis decision process by consolidating aspects of the risk management function in a database, providing the raw material for the decisions to be made.

6.4.1 RISK MANAGEMENT RECORD SYSTEMS

Information about the risks of the organization are the raw material for decisions to be made on a problem. Loss records and statistics are essential tools of risk management. The main items of information are:

- Property value programs

- List of equipment and properties

- Request for insurance offer

- Security policies and records

- Report of claims

- Information and comparison between profit and loss

6.4.2. INTERNAL COMMUNICATION SYSTEMS

The records of the risk management information systems need to create information channels that ensure that all the information related to the risk management function is channeled to the audit department, the risk manager must be informed of:

- New construction, remodeling or renovation of company properties.

- Introduction of new programs, products, activities or operations

- The progress of workers

- Information on the activities of the entire organization.

6.5. RISK MANAGEMENT POLICIES MANUAL

It is a central repository of all corporate insurance policies and all risk management, copies of the manual could be distributed to units of the corporation as a way to communicate the expectations that the different departments of the company have with risk management.

  1. RISK CONTROL

Primitive man lived in caves and sometimes in trees to protect himself from dangerous wild animals. The first loss prevention practitioner was the human who climbed a tree to escape a saber-toothed tiger. The history of civilization is a record of man's confrontation with the forces of nature and other dangers.

This part will examine the concept of risk control in a generic context based on the general principles of risk control.

7.1 GENERAL IN RISK CONTROL

Risk control has been an integral part of the risk management process since the concept of risk management was conceived. The two main risk control techniques are: avoiding risks and reducing risks.

  • AVOID RISKS: Technically, risks are avoided when decisions are made to prevent a risk before it exists. "Avoid risks" should be used when the exposure has a potential catastrophe and the risk cannot be reduced or transferred. Generally, these conditions will exist in the event that the frequency and severity of the risk are high. The other loss potential dictates that the risk cannot be retained and the other frequency virtually guarantees that the controls will possibly not be economically feasible.
  • GOVERNMENT STANDARDS: OSHA regulations are perhaps the best example of institutional loss control standards. OSHA was designed to ensure as best as possible that every working person in the nation has safe conditions to carry out their tasks, thus ensuring the preservation of human resources.

7.2 THE CONTROL AND THE RISK MANAGER

Ideally, a well-designed loss control and prevention program should cover the following areas:

- Personal security.

- Security of goods.

- Control of loss responsibilities.

- Protection of properties.

- Physical security.

Loss prevention in each of these areas is a highly technical and specialized function, sometimes requiring expert specialists.

7.3. THEORIES OF ACCIDENT CAUSES

To understand why accidents happen, it can be useful to design programs for their prevention. To date, no dominant general theory has been developed to know how accidents occur; instead there are two separate theories each with an explanatory and predictable value:

  • THEORY OF HEINRICH'S DOMAIN:

According to Heinrich, an "accident" is a factor in a sequence that can lead to a damage as illustrated in figure No. 1, the factors can be visualized as a series of domain cards placed on the edge; when one falls, a chain reaction is complete.

Each of the factors is dependent on the predecessor factor like so:

  • Injury to personnel occurs only as a result of an accident. An accident as a result of personal or mechanical risk. Personnel and mechanical risks exist from personnel failure. Personnel failures are inherited or acquired within their environment. it shapes the conditions in which an individual is born.

In the domain theory states when an injury occurs, all five factors are involved, if one of the factors in the sequence is removed the loss can be prevented. According to Heinrich, an accident is any unplanned and uncontrolled event in which the action or reaction of an object or person that can result in harm or damage. After a study of 75,000 industrial accidents, Heinrich concluded that 98% of all accidents are foreseeable and it may be possible to reduce the costs of industrial accidents with some form of loss control the remaining 2% are classified as “Divine Acts”.

  • WILLIAM HADDON'S THEORY OF ENERGY EMITTED:

Instead of concentrating on human behavior, Haddon views accidents as a physical engineering problem. Accidents result when the energy is out of control putting more stress on a structure (property or person) than it can tolerate without harm. Haddon suggests ten strategies for suppressing accident-causing conditions or increasing accident-retarding conditions:

  1. Prevent the creation of risk in the first place Reduce the amount of risk production Prevent the emission of the risks that currently exist Modify the emission rate from the source of the risks Separate in time and space the risk Separate the risk and what will be protected by means of a barrier Modify the basic qualities of risk Make protected what is more resistant than risk Verify damage based on risk Stabilize, repair or rehabilitate the damaged object.

7.4. SCIENTIFIC APPROACHES TO THE CONTROL AND PREVENTION OF RISKS

Heinrich and Haddon's theories provide a basis for understanding different approaches to risk control and prevention. Efforts to prevent loss and reduce its impact take place at virtually every phase of human activity. The main approaches are:

  • ENGINEERING APPROACH: The basic premise of the engineering approach is that people have little regard for the safety of their personnel and that it is inherent in human nature to take on easy tasks. This approach must protect people from themselves.
  • APPROACH TO HUMAN BEHAVIOR: This approach focuses on safety education and personal motivation. This approach proposes that the majority of accidents are perpetrated by uninsured events and that the majority of gains in loss prevention can be achieved through efforts to change human behavior. These efforts include:
  1. Education: It serves to alert the existence of risks and their consequences and also provides a guide to safely perform the functions. Law enforcement to motivate desired behaviors, rules and regulations must be enforced by the organization.
  • RISK CONTROL TECHNIQUES: These techniques include efforts to prevent the occurrence of losses and minimize unanticipated costs, and include:
  1. Control measures and application time: Control measures are classified according to how they are applied as follows: before an accident, at the time of the accident and after the accident. (See figure No. 2) Control measures and mechanisms: The measures are directed to each instrument or mechanical device.
Before the event At the time of the event After the event
Individual
Machinery
Teams
  • SPECIALIZED CONTROL AND LOSS TECHNIQUES: As it has been observed the loss control and prevention techniques is virtually endless, the above are the most common, but there are specialized techniques that are:
  1. Separation of possessions: its purpose is to limit the value of possessions exposed to loss in a single occurrence. Recovery: It is designed to protect properties from future damages. Rehabilitation: On the job it reduces financial losses from injury, decreasing compensation costs to injured workers.Redundancy: This technique can help prevent the adverse effects of accidents, resulting in prevention systems, refining safety control measures.

7.5. SECURITY SYSTEMS

Security systems are a branch and development of Systems Engineering, the application of engineering is needed in the design and creation of complex systems; this in response to the increasing complexity of problems that cannot be solved with traditional approaches. Security systems view a process, a situation, a problem, a machine, or any other entity as a system.

The resources that are part of an organization include: materials, personnel, procedures, technology, time and other factors. An accident occurs when a human or a mechanical component fails to function. The purpose of security systems is to identify these failures, eliminating them or minimizing their effects; and they are a variety of different techniques designed to analyze and identify potential failures in organizations. The premise in developing methodologies in safety systems is that accidents result from failures and they can be prevented to identify these failures before they occur. The first distinction between security systems and traditional approaches is the emphasis on identifying losses that have not yet occurred,a second difference is their permanent faith in the principle of chance and another difference is the total emphasis on accident prevention.

7.5.1. SECURITY SYSTEM TECHNIQUES

  • EFFECT ANALYSIS AND THREAT MODE (HMEA): Attempts to identify potential flaws in the systems through a detailed risk identification analysis. The analysis can be prepared at any level of complexity - system, subsystem, component or detailed part, generally as follows:
Undesirable events that may occur or desirable events that may fail The hardware or software that may cause the failure The human reasons or failures in the mechanism can occur. The immediate functional result of a risk The Impact of Malfunctioning System Targets The first observable indication or display of a system mechanism An estimate of the malfunction Possible measures to eliminate risk mechanisms Action implemented to eliminate or control risk Value of all the resources required to implement preventive actions.
RISK MODE RISK MECHANISM CAUSE OF RISK EFFECT OF RISK RISK SEVERITY DETECTION OF RISK LIKELIHOOD OF RISK MEASURES TAKEN WITH RISK PREVENTIVE ACTION CONTROL RESOURCES

Table No.2 Input columns in the analysis of effect and threat mode.

  • HIERARCHICAL FAILURE ANALYSIS (FTA). It is designed to identify system failures by looking at the causes of events. It is usually executed by a diagram (known as a failure hierarchy) that follows the relationships between all minor events that can cause unwanted major events. The logical diagram of hierarchical failure analysis can be as follows:

The FTA is usually analyzed on a graph. A hierarchy of failures has two superior elements: (1) logical diagram, connecting with logical OR and AND sub-events that contribute to seeing the last desired event (2) the elements as themselves.

The construction of the tree begins at the top with the definitive unwanted event, the tree is progressively built by repetitions to the answer of the question that happens when the event occurs? The need or sufficiency of each sub-event in the event of the following event is indicated by a logical connector AND or OR when the chain of chance has been identified and the meaning of the sub-events determined, the FTA provides a map to take preventive measures.

7.6. CONTINGENCY PLAN - DISASTER PREVENTION PLAN

The need for an advanced plan to establish procedures in the event of a disaster is obvious. At the time of the disaster normal operations and procedures can be interrupted, basically a disaster plan provides an administration of action plans to guide in case of disasters or emergency situations. A disaster plan should take into account:

  • DETERMINATION OF BUSINESS REQUIREMENTS: During this initial part of the process, an analysis of the impact on the business must be made to determine what the requirements of the business are. Many business processes are so dependent on data processing that they can no longer be carried out in the event of a disaster. The negative impact of this process failure must be evaluated; that is, business losses, customer losses, money costs and profits. There may also be regulatory reasons that require that a business process is always available. This analysis will indicate what are the priorities in the business process and what is the recovery time scale needed for each process. Likewise,A disaster carries the risk that the organization will lose track of some business transactions that were in process when a disaster occurred. Business impact analyzes will have to determine to what extent such a loss can be tolerated for each business process.
  • PRIORITIES IN THE DISASTER ORGANIZATION: This determination of priorities will guarantee to avoid confusion and conflicts in the development of the plan, the following are the main types of priorities in their order of importance: Protection of human life Prevent or minimize personal harm Prevent or minimize harm potential to physical assetsRestore normal operations as quickly as possible.
  • DETERMINATION OF DATA PROCESSING REQUIREMENTS: Once business requirements have been determined, they should be converted into data processing terms, in order to determine what procedures and resources are necessary to support recovery and processing normal. The functions that will be related to the analysis of business processes and the definition of requirements include: Senior management (Information technology, Finance and Business). Business process owners. Application owners. Systems support and programming Information. Networking. Operations in general.

To carry out this process, you may have difficulties such as:

  • Lack of cooperation between senior executives and business units. Lack of priority given to disaster recovery. Underestimation of business processes. Lack of conscience and goodwill. Lack of a procedure plan.
  • DESIGN OF THE BACKUP AND RECOVERY SOLUTION: This step describes the general characteristics and the main elements of the intended solution. These elements are the following: The scope of the recovery: This element ensures from the beginning that there is no confusion, knowing what it is that you are trying to recover and within what period. The scope definition includes: Types of disasters that are included or excluded, the maximum recovery time and the current state of the information once recovered. Testing strategy: This element determines, in a very general way, how the tests will be carried out, to determine the complexity and cost of the solution. Data backup and recovery processes: Factors influencing backup and recovery decisions are:Categorization of information: Information is the most important resource. Other resources, such as hardware, software, and physical facilities are ultimately replaceable. Information is the most volatile and complex resource of all. Have a disaster recovery scenario. Verify the interrelationships between the data. Verify that the transport and storage of data is safe. Verify the different data backup options (Copies at the moment., online copies and incremental copies) Manage and operate alternate emergency sites Physical and logical description of recovery settings Select appropriate backup products (tapes, floppy disks, tape backup, backup software, and network utilities) for design.like hardware, software and physical facilities are ultimately replaceable. Information is the most volatile and complex resource of all. Have a disaster recovery scenario. Verify the interrelationships between the data. Verify that the transport and storage of data is safe. Verify the different data backup options (Copies at the moment., online copies and incremental copies) Manage and operate alternate emergency sites Physical and logical description of recovery settings Select appropriate backup products (tapes, floppy disks, tape backup, backup software, and network utilities) for design.like hardware, software and physical facilities are ultimately replaceable. Information is the most volatile and complex resource of all. Have a disaster recovery scenario. Verify the interrelationships between the data. Verify that the transport and storage of data is safe. Verify the different data backup options (Copies at the moment., online copies and incremental copies) Manage and operate alternate emergency sites Physical and logical description of recovery settings Select appropriate backup products (tapes, floppy disks, tape backup, backup software, and network utilities) for design.Have a disaster recovery scenario Verify the interrelationships between the data Verify that the transport and storage of data is safe Verify the different data backup options (Copies at the moment, online copies and incremental copies) Manage and operate Alternative emergency sites Physical and logical description of recovery settings Select backup products (tapes, floppy disks, tape backup, backup software, and network utilities) suitable for designHave a disaster recovery scenario Verify the interrelationships between the data Verify that the transport and storage of data is safe Verify the different data backup options (Copies at the moment, online copies and incremental copies) Manage and operate Alternative emergency sites Physical and logical description of recovery settings Select backup products (tapes, floppy disks, tape backup, backup software, and network utilities) suitable for designPhysical and logical description of the recovery configuration Select the backup products (tapes, floppy disks, tape backup, backup software and network utilities) suitable for the design.Physical and logical description of the recovery configuration Select the backup products (tapes, floppy disks, tape backup, backup software and network utilities) suitable for the design.
  • IMPLEMENT THE BACKUP AND RECOVERY SOLUTION: The initial step in the development of the disaster plan is the identification of the people who will be responsible for creating the plan and coordinating the functions. Typically people can be part of the personnel department, risk management, security department, and public relations. A disaster plan does not require the creation of a new organizational structure. The existing structure, temporarily reconfigured for the disaster situation, can perform the functions at the time of a disaster. In this step, the recovery solution is put into practice according to the design that was developed, covering two main areas: Developing and implementing the technical procedures to support the recovery solution;These include: Data backup procedures. Storage procedures. Data recovery procedures. Computer management procedures. Human resources procedures. Developing the recovery plan: A disaster recovery plan is made up of a detailed document, setting out all the actions that will be taken before, during and after a disaster occurs. The recovery plan should include the following elements: Scope of recovery. Processes to identify disasters. Identification of recovery work teams. Define tasks and responsibilities of work teams. Telephone list and addresses of responsible persons. Information on purchases and acquisitions. Network topologies diagrams. Configurations and backups.Distribution and maintenance of the plan: Once the disaster recovery plan has been developed and the recovery solution has been implemented, it needs to be distributed to the people who need to have it. Changes in the computing environment are constant, and any drastic changes could render the plan unusable, among the changes that may affect are: Emergence of new technologies. Changes in the current hardware configuration. Changes in the network environment. Organizational changes.Among the changes that may affect are: Emergence of new technologies. Changes in the current hardware configuration. Changes in the network environment. Organizational changes.Among the changes that may affect are: Emergence of new technologies. Changes in the current hardware configuration. Changes in the network environment. Organizational changes.

Therefore, it is necessary to carry out a permanent audit of the plan, to determine if updates or changes have been applied to the plan.

7.7. COMPUTER SECURITY STRUCTURE

The history of computer security dates back to the time of the first written documents. In fact, the need for secure information originated in the year 2000 BC. The Egyptians were the first to use special hieroglyphs to encode information, and as time passed, the civilizations of Babylon, Mesopotamia, and Greece invented ways to protect their written information. The encryption of information, which is the basis of encryption, was used by Julius Caesar, and throughout history in periods of war, including the civil and revolutionary wars, and the two world wars. One of the best-known encryption machines was the German Enigma, used by the Germans to create encrypted messages in World War II. Over time,and thanks to the efforts of the United States of America Ultra project, among others, the ability to decipher the messages generated by the Germans was an important success for the allies.

In the last ten years, the importance of computer security has been highlighted by some stories. One of them was the Internet worm in 1988, which spread over tens of thousands of computers, as a result of the work of a hacker named Robert Morris. There was a 1995 hacker in Germany who hacked into almost 30 systems out of a target he had set for himself of nearly 500. More recently, in February 1995, the arrest of the most wanted hacker, Kevin Nitnick, revealed criminal activities that included stealing codes, information and other secret data for years. Clearly, the extensive use of computer systems has highlighted the importance of computer security.The primary goal of computer security is to protect computer resources from damage, alteration, theft, and loss. This includes equipment, storage media, software, printer listings, and generally data. An effective computer security structure is based on four risk management techniques, shown in the following diagram:

  • Strategies and Policies: Management strategies for computer security and policies, standards, guidelines or directives used to communicate these strategies to the organization.
  • Organization Administration: Processes that are directed towards professional policies and training programs, change and control administration, security administration and other necessary activities.
  • Event monitoring: Reactive processes that allow the administration to correctly measure the implementation of policies and identify when the policies need changes.
  • Computer technology: It is the technology necessary to provide the appropriate protection and support in the different processes involved in the organization. Computer security encompasses a wide range of strategies and solutions, such as: Access control: One of the most important lines of defense against unwanted intruders is access control. Basically, the role of access control is to identify the person who wants to access the system and its data, and verify the identity of that person. The usual way to control access to a system is to restrict entry to anyone who does not have a valid username and password. Passwords are an example of a simple but effective form of access control.

Access control is effective in keeping unauthorized people out of the system. However, once someone is inside, the person should not have free access to all existing programs, files, and information on the system. Discretionary access control, sometimes abbreviated by the acronym DAC, is performed on many systems, and is an important part of any access where access to files and programs is granted based on the class of permissions granted to a user or a user profile. It is discretionary in that an administrator can specify the class of access she decides to give to other users of the system. This differs from another more restrictive class of controls, Mandatory Access Control (MAC), which provides much more rigid control of access to system information.

  • Computer viruses: The prevention and control of the effects produced by the different types of viruses and destructive programs that exist. System planning and administration: Planning, organization and administration of computer-related services, as well as policies and procedures to guarantee the security of the organization's resources. Encryption: The encryption and decryption of the manipulated information, so that only authorized people can access it. Network and communication security: Control security problems through networks and telecommunications systems. Physical security: Another important aspect of computer security is the physical security of your services, computer equipment and real data media;to avoid problems that may result in: Loss of productivity, loss of competitive advantage and intentional sabotage. Some of the methods to prevent illegal access to computer services include: Keys and passwords to allow access to computers. Use of locks and keys. Cards or smart cards. Biometric devices (Fingerprint identification, fingerprint readers, voice patterns, digital signature / writing, pulsation analysis and retina scanner, among others).Biometric devices (identification of fingerprints, fingerprint readers, voice patterns, digital signature / writing, analysis of pulsations and a retina scanner, among others).Biometric devices (identification of fingerprints, fingerprint readers, voice patterns, digital signature / writing, analysis of pulsations and a retina scanner, among others).
  1. RISK ADMINISTRATION AND CRIMES

It is not known exactly how much business loses due to crime each year. It is estimated that the losses caused by the negative effects of crime amount to 2% and 5% of business income.

8.1. CRIMES AGAINST BUSINESS

Offenses against business are classified according to the perpetrator of the crime generally as follows:

  • THEFT: Consists of seizing or subtracting the property of others with the intention of taking advantage of it, for any act outside the law or without authorization from the owner.
  • FRAUD: Synonymous with deception and simulation, which is used to surprise the victim's good faith, trust or ignorance, making him believe what he is not. For example: A crime committed when someone falsifies an authorized signature of any financial instrument (a check, for example), increasing or altering its value.

8.2 ASPECTS OF CONTROLLING LOSSES AND DISHONESTY OF EMPLOYEES

  • Selection of personnel: A standard measure for the prevention of losses with respect to crimes committed by employees is a thorough check of the individual work of the people. Based on the presumption that a person who has committed a crime will commit it again; The person's criminal record is verified. However, the above is not the only decision factor, since many crimes are committed by the temptation of trusted workers.
  • Internal Controls: The term internal control refers to the elements that are incorporated within the organization, designed to prevent crime within the company. The first element is a clear assignment of responsibilities, in which identifiable people are assigned defined roles. The second element divides the duties of the employees in a way that separates the performance of a function according to company policies. The third element is to make an audit trail to ensure continuous control.

Based on the above, internal controls are designed in:

  • Expense Procedures Sales Procedures Asset Receipt and Shipping Procedures Money Management Control Procedures Audits: After having control procedures in the financial area, an effective audit program helps to ensure that the control requirements are met.

An audit program is an important function, despite the company having an exceptional internal control system. This makes it imperative to check the systems periodically to ensure that they are currently working properly.

PART II - ELEMENTS OF RISK MANAGEMENT IN COMPUTERS

The role of risk management is to identify, study, and eliminate the sources of harmful events before they begin to threaten computing processes.

Risk management is generally divided into:

  1. ESTIMATION OF RISKS

Risk estimation describes how to study risks within the overall planning of the computing environment and is divided into the following steps:

  • Risk identification generates a list of risks capable of affecting the normal operation of the computing environment. Risk analysis measures its probability of occurrence and its impact on the organization. The prioritization of risks.

1.1. RISK IDENTIFICATION

This step identifies the factors that introduce a threat into planning the computing environment. The main factors that are affected are:

  • Creation of planning, which includes: Overly optimistic planning, planning with unnecessary tasks, and organization of a computing environment without taking into account unknown areas and the size of it. The organization and management, which includes: Low budgets, The policy review / decision cycle is slower than expected. The work environment, which includes: Malfunction of development tools, inadequate workspaces and the learning curve of new technologies is longer than expected.
  • End-user decisions, including: Lack of end-user participation and lack of communication between users and the IT department
  • The contracted staff, which includes: Lack of motivation, lack of teamwork and poor quality work.
  • The processes, which includes: Bureaucracy, lack of quality control and lack of enthusiasm.

1.2. RISK ANALYSIS

Once they have identified the risks in the planning, the next step is to analyze them to determine their impact, thus taking the possible alternative solutions. The explanation of Risk Analysis will be extended later.

1.2.1. EXPOSURE TO RISKS

A useful and necessary activity in risk analysis is to determine your level of exposure in each of the processes in which they have been identified.

1.2.2 ESTIMATION OF THE CHANCE OF LOSS

The main ways to estimate the probability of loss are as follows:

  • Have the person who is most familiar with the computing environment to estimate the probability of the occurrence of harmful events.
  • Use Delphi or group consensus techniques. The Delphi method consists of bringing together a group of experts to solve certain problems. This group performs individual categorization of threats and risk objects, using adjective calibration, in which the people involved choose a risk level between (probable, very probable) and then convert them to quantitative estimates.

1.2.3. PRIORITIZATION OF RISKS

In this step of risk estimation, your priority is estimated so that you have a way to focus the effort to develop risk management. When prioritization is carried out (high-risk and small-risk elements), the latter should not be of great concern, since the truly critical can be left in the background.

1.3 RISK CONTROL

Once the risks of the computing environment have been identified and their probability of occurrence analyzed, there are bases to control them, which are:

  • Planning Risk resolution Risk monitoring

1.3.1. RISK PLANNING

Its objective is to develop a plan that controls each of the damaging events to which computer activities are exposed.

1.3.2. RISK RESOLUTION

The resolution of risks is made up of the methods that control the problem of inadequate control design, the main ones are:

  1. Avoid the Risk: Do not carry out risky activities. Get information about the risk. Plan the computing environment so that if a risk occurs, the computer activities are fulfilled. Eliminate the source of the risk, if possible from the beginning. Assume and communicate the risk.

To illustrate how you can control some of these risks, Table No.3 illustrates the most common control methods:

RISK CONTROL METHODS
Change of service provision · Use of customer-oriented techniques.

· Design for new changes
Quality cut · Allow time for control activities.
Overly optimistic planning · Use of estimation techniques and tools.
Problems with hired staff · Ask for personal and work references.

· Hire and plan key team members well before the project begins.

· Have good relations with the hired personnel.

1.3.3 RISK MONITORING

Life in the computer world would be easier if risks appeared after we had developed plans to deal with them. But risks appear and disappear within the computing environment, so monitoring is needed to check how risk control is progressing and to identify how new harmful events appear in computing activities.

PART III - RISK ANALYSIS

The general objective of risk analysis is to identify its potential causes. Figure 4 shows, for example, the main risks that threaten the computing environment. This identification is carried out in a certain area so that you can have sufficient information about it, thus opting for an adequate design and implementation of control mechanisms; in order to minimize the effects of unwanted events, at the different points of analysis.

In addition, the risk analysis meets the following objectives:

  • Analyze the time, effort and resources available and necessary to attack the problems. Carry out a thorough analysis of risks and weaknesses. Identify, define and review security controls. Determine if it is necessary to increase security measures. When they are identified risks, security perimeters and places of greatest danger, maintenance can be done more easily.

Before carrying out the risk analysis, the following aspects must be taken into account:

  • The policies and needs of the organization must be taken into account, as well as the collaboration with all the parts that make it up and that are involved in the basic processes. New technological advances and the cunning of expert intruders must be taken into account. costs vs. the effectiveness of the program to be developed of control mechanisms.The committee or the board of directors of any organization must include in its plans and budget the expenses necessary for the development of security programs, as well as bear in mind that this part is It is essential for any development process of the company to specify the security levels and the responsibilities of the related people, which are a crucial complement for the good operation of any security program.Another aspect that must be taken into account is the additional overhead that the mechanisms and countermeasures may have on the computing environment, without forgetting the additional costs that are generated by their implementation.

Risk analysis uses the matrix method called RISK MAP, to identify the vulnerability of a service or business to typical risks. The method contains the following steps:

  • Location of processes in the dependencies that intervene in the provision of the service (See figure No. 5).
  • Location of critical risks and their effect on Business processes. This step determines the vulnerability of an activity to a threat. To assign a weight to each risk; Three vulnerability categories are considered (1 low, 2 medium, 3 high) that will be assigned to each activity according to its weakness to a threat (cause of risk). For example, if we affirm that the risk to a wrong Decision has a high risk of vulnerability, then it would have a high priority within our security policies (See figure No. 6).
RISK (%) Obtained Vulnerability
Wrong decisions 59 HIGH
Fraud 55 HALF
Theft 54 HALF

Within the computing environment, threats (causes of risk) can be classified as follows:

  • Natural: Mainly include natural changes that can affect in one way or another the normal performance of the computing environment; for example, the possibility of a fire at the site where the wiring hubs are located since they are possibly surrounded by wooden walls is a natural threat.Accidental: They are the most common that exist and include: End-user errors: By Example, User has administrator permissions and possibly unintentionally modifies relevant information. Operator errors: For example, if an operator was logged in and forgot to log out; Someone with physical access to the machine in question can wreak havoc. Administrative error: For example, Installations and configurations without security mechanisms to protect them. Exit errors:For example, Printers or other misconfigured devices. System errors: For example, damage to operating system files. Communication errors: For example, allowing the transmission of information violating the confidentiality of data. Deliberate: These threats can be: active (unauthorized access, unauthorized modifications, sabotage) or passive (they are much more technical in nature, such as: electromagnetic and / or microwave interference fumes). Location of critical risks in the company's premises and processes involved in the business (See figure No. 7 and figure No. 8).allow the transmission of information violating the confidentiality of the data.Deliberated: These threats can be: active (unauthorized access, unauthorized modifications, sabotage) or passive (they are much more technical in nature, such as: electromagnetic and / or microwave emanations of Interference).Location of critical risks in the dependencies of the company and processes that intervene in the business (See figure No. 7 and figure No. 8).allow the transmission of information violating the confidentiality of the data.Deliberated: These threats can be: active (unauthorized access, unauthorized modifications, sabotage) or passive (they are much more technical in nature, such as: electromagnetic and / or microwave emanations of Interference).Location of critical risks in the dependencies of the company and processes that intervene in the business (See figure No. 7 and figure No. 8).
Process / Risk Wrong decisions Fraud Theft
Transactional center management X X
System Administration X X
Customer Support X X
Accounts reconciliation X X X
Risks Vs. Dependencies. Financial division Systems Purse Accounting
Wrong decisions X X
Fraud X X X X
Theft X X X X
  • Identify the necessary controls: In this step the controls are specified, which are mechanisms that help reduce the risk to minimum levels or in some cases eliminate them completely. It should be borne in mind that these measures have three different capacities that include: prevention mechanisms, detection mechanisms and correction mechanisms; and that within a process or business they function as described in figure No. 9. This step includes the functionality and usefulness of the control, and the people responsible for implementing the controls are identified.
  • Design the final controls: In this step you have the necessary products to start the process of implementing the controls used or to start the construction of these mechanisms.

The following criteria allow evaluating control mechanisms in a symbolic amount:

  • Confidentiality: Refers to the protection of information mainly from unauthorized access. Staff information, investigations and development reports are some of the examples of information that needs confidentiality. Integrity: It is the service offered by the IT department. It must be adequate, complete and authentic at the time the information is processed, presented, saved or transmitted. Availability: Indicates the availability that computing activities may have at any given time. This availability must be immediate. Results of the risk analysis: The results of the risk analysis must be disclosed in a timely manner so that they can be incorporated, from the first stages of the process. Verify by the computer audit,the timely incorporation of controls: The computer audit must know the result of the risk analysis and verify its timely implementation, to ensure the best levels of quality, safety and effectiveness of the computer processes.

GLOSSARY

ERGONOMICS

Scientific discipline that puts human needs and capacities as the focus of the design of technological systems. Its purpose is to ensure that humans and technology work in complete harmony, keeping teams and tasks in accordance with human characteristics.

RISK

It is the value of the losses to which companies are exposed due to the occurrence of harmful events.

THREAT

The threats or causes of the risk refer to the possible means or alternatives that generate each of the risks.

CONTROL

Control is any action aimed at minimizing the frequency of occurrence of the causes of risk or the value of the losses caused by them. Controls serve to ensure the achievement of the organization's objectives or to ensure the success of a system and to reduce the exposure of risks to reasonable levels. The basic objectives of the controls are: Preventing the causes of the risk, detecting the occurrence of the causes of the risk, and providing feedback to the internal control system with corrective means.

INHERENT

Essential, permanent, which, by its nature, cannot be separated from anything else.

EXERCISE

Entity that needs to be done to complete one or more specific tasks.

DEAL

Private or public company that provides products and services, to satisfy the requirements of a specific client.

BIBLIOGRAPHY

  • COLOMBIA. Colombian Institute of Technical Standards and Certification (ICONTEC). Quality systems. Santa Fe de Bogotá DC: 1994. 21p. NTC-ISO 9001.COREY Michael and ABBEY Michael, ORACLE Data Warehousing: Data security, first edition, Spain: McGraw Hill Publishing, 1997. 313 p. ISBN: 84-481-0998-8.DERRIEN Yann, Computer Auditing Techniques: The direction of the audit mission, Mexico City: Ediciones Alga Omega SA, 1995. 228 p. ISBN 970-15-0030-X. DVE team of economists, Complete audit course: Introduction, Barcelona - Spain: Editorial De Vecchi, SA, 1991, 206 p., ISBN: 84-315-0957-0. FARLEY Marc, LAN TIMES® Guide to Data Security and Integrity: Computer Security, First Edition, Madrid (Spain): Editorial Mc Graw-Hill, 1996. 342 p. ISBN: 0-07-882166-5.IBM Education and Training,Internet Security and firewalls concepts - Student Notebook. 1995. Course code IN30.IBM Corporation, SOS in its computer system, first edition, Mexico: Editorial Prentice-Hall Hispanoamericana, SA, 1998. 211 p. ISBN: 970-17-0110-0.MC CONNELL STEVE, Development and management of IT projects: Risk management, first edition, Aravaca (Madrid): Editorial Mc. Graw Hill, 1996. 691 p. ISBN: 84-481-1229-6.MENDEZ Carlos E., Methodology-Guide to elaborate research designs in economic, accounting and administrative sciences, second edition, Santa Fe de Bogotá: Editorial Mc Graw Hill, 1993. 170 p. ISBN: 958-600-446-5.PINILLA José Dagoberto, Computer Audit - Production Applications: Risk Analysis, first edition, Santa Fe de Bogotá: ECOE Ediciones, 1997. 238 p. ISBN: 958-648-139-5.SALLENAVE Jean Paul,Management and Strategic Planning: The Delfi method, second edition, Colombia: Editorial Norma, 1996. 280 p. ISBN: 958-04-3162-0.SCAROLA Robert, NOVELL Netware, first edition, Madrid: Editorial Mc Graw Hill, 1992. 294 p. ISBN 84-7615-945-5.SENN James A., Information Systems Analysis and Design, Second Edition: Mc Graw Hill Publishing. VAUGHAN EMMETT J., Risk Management, First Edition, United States of America: John Wiley Publishing & Sons, 1997. 812 p. ISBN 0-471-10759-X.First edition, United States of America: John Wiley & Sons Publishing, 1997. 812 p. ISBN 0-471-10759-X.First edition, United States of America: John Wiley & Sons Publishing, 1997. 812 p. ISBN 0-471-10759-X.

International Electronic Commission (IEC) standard - in English, which is used for computer technology and electrical equipment.

Risk Management Information Systems - In Spanish, Risk Management Information Systems

OSHA - Occupational Safety and Health Act - Federal standard of the United States of America, which was effective by Congress, first on December 20, 1970 and finally on April 28, 1971.

IH. W. Heinrich; Safety engineer and pioneer in the field of industrial safety.

Dr. William Haddon, Jr. Industrial Engineer, Insurance Institute for Highway Safety, USA

In English the initials of Hazard Mode and Effect Analysis

In English the initials of Fault-Tree Analysis

Download the original file

Risk management in computer technology
Administration

Editor's choice

Features of radical innovation

Features of radical innovation

Characteristics of the best companies to work mept

Characteristics of the best companies to work mept

Characteristics of probability and non-probability samples

Characteristics of probability and non-probability samples

Features of one to one or one to one marketing

Features of one to one or one to one marketing

Roots and beacons of the leader's light

Roots and beacons of the leader's light

Characteristics of the microentrepreneur

Characteristics of the microentrepreneur

© Copyright en.artbmxmagazine.com, 2024 October | About site | Contacts | Privacy policy.