Root Cause Analysis for IT Risk ManagementTable of ContentsRoot Cause AnalysisRole of IT Auditor in Determining Root CauseRoot CauseRecommendationsRisk Management & Change ControlHigh-Level Business Process Flow ChartDocumentation to TestNIST Cybersecurity FrameworkReasonable Steps to Secure Sensitive Customer DataPeriodic Independent Cybersecurity IT AuditsAssessment of Risks in Cloud-based EnvironmentVendor Risk Management FrameworkPotential Risks & Audit Strategies Evaluation & Selection of Third-party Cloud ProviderRoot Cause Analysis in Investigating a Data BreachFactors that Contributed to Data BreachApplying Root Cause Analysis to Identify Primary CauseRecommendations to Avoid the Problem in FutureReferencesRoot Cause AnalysisRoot Cause Analysis in the process of evaluation of IT risk event is a risk identification technique that provides the details of the risks and reasons for the occurrence of the same. The triggers that may lead to the occurrence of the risk and the associated vulnerabilities of the organization contributing the same are listed in the process[1]. As a newly employed staff who just finished a course in IT audit will make sure that role of IT auditor in determining root cause, root cause and recommendation are followed. Based on the information at hand the previous manager failed to follow the adequate procedure such as addressing issues of root cause and recommendations to solve the impeding problems. Role of IT Auditor in Determining Root CauseThere are certain steps that are followed by an IT auditor in the root cause analysis of an IT event. The primary step is gathering and managing the evidence. The IT auditor shall carry out evidence-based root cause analysis and look out for the evidence in the areas as people of the organization, systems, environment, procedures, and documentation. The auditor shall then prepare a problem statement listing the details of the problem, associated impact, and area(s) of impact. The nature of the impacts may be qualitative or quantitative in nature. The problem statement must focus upon both of these impacts. Cause-and-Effect analysis shall then be done by the auditor to build a model of how the problem occurred. The solutions to the problem shall be documented in the next step followed by the submission of the final report to the senior management[2].Root CauseThe root cause for the scenario specified for MortgageNow Inc. is the poor and inadequate management of the user identities. There are inappropriate users IDs that are active along with the IDs of the employees or contractors that no longer work for the company. The root cause behind the problem is ineffective identity control and management by the senior managers and representatives of the organization. This may result in the negative implications on the privacy and confidentiality of the organization data and information sets. RecommendationsThe following steps shall be followed for sustainable corrective actions to respond to the root cause of the problem of identity management in the organization.The analysis of the IDs in the active state shall be done and mapped with the identity owners. The IDs that do not have a corresponding owner shall be deactivated.The access control and user permissions shall be analysed and assigned for the users on the basis of their role in the organization.The identity management process shall be re-designed on the basis of multi-fold authentication comprising of authorizing the users on the basis of their IDs followed by a biometric-based recognition to identify the user. This will result in the inability to the attackers to forge and misuse the user IDs.Finally, management seeing the root cause of the organization problem will enable them avoid same issue happening again. The management should ensure that the identity management and control is adequately implemented in the organization.Risk Management & Change ControlHigh-Level Business Process Flow ChartEmergency Change Control ProcessThe emergency change control process that shall be followed for handling and managing the changes and the risk events is depicted in the flow chart above. There are three major phases that shall be used for managing the changes as change initiator, change management, and change implementation[3]. Request for Change (RFC) is a formal change request document that shall be circulated comprising of the changes that need to be made, associated risks with the change, impact of the change on the scope, time, and budget along with the resources responsible for the execution of the changes. The planning of the change shall be followed by review, analysis, and authorization of the request. Once the change is authorized and accepted, it shall be implemented in the organization. The review and audit cycles shall run in parallel to keep a track of the changes being made. The closure of the change shall be done only after the post implementation review is successful.The change control points have been marked with red arrows in the image above. These are the four control points that will make sure that the risks do not occur. In the case of occurrence of the risk(s), the mitigation strategies will be implemented to avoid the impact of the risks. The control points will ensure that the changes that are implemented in the organization do not result in the risky event.Documentation to TestThere will be documentation that will be required to be tested to make sure that the emergency change control process is being carried out effectively.Request for Change (RFC): The document will be tested to determine the feasibility of the change along with the nature of the change. The analysis and audit of the document will provide the details of the changes that will be made along with the associated impact of the change.Change Plan: The document will include the detailed methodology of change implementation and management. The impact of the change on the schedule, budget, and scope will also be included in the plan. The analysis of the document will provide an overview of the adherence of the planned values in the implementation process[4]. The IT auditor may use the techniques as Earned Value Management to analyse the gaps in the planned and actual values of schedule and budget.Change Review Report: The implementation review and post implementation review of the change will be done to understand the correctness of the process and to identify the areas of improvement. The analysis of the document will provide the details of the major gaps and areas to be focussed upon.Change Closure Report: The final report that will be submitted by the resources for handling the changes will be the closure report. The IT auditor shall analyse the document to determine the activities performed by the team in the process of handling the changes along with the areas that may be improved upon in the future.NIST Cybersecurity FrameworkReasonable Steps to Secure Sensitive Customer DataThere are several frameworks that have been developed to make sure that the information properties are protected and safeguarded. One such framework is NIST Cybersecurity framework.Adopting and adhering to such frameworks can assist the organizations in implementing reasonable steps to secure the sensitive customer data and information. The core structure of the framework is as represented in the image below.NIST Framework Core Structure[5]The business organizations can adopt the framework and use it as a guideline to safeguard its information sets. There are five primary functions that the organizations may use in the process as identify, protect, detect, respond, and recover. These functions may be used to carry out the strategies to identify all the possible risks that an organization may be exposed to. The identification of all the risk events will provide the organization with the readiness to implement the risk management activities. The analysis of the identified risks will assist in the development of the protection strategies that may be used. The detection of the strategies to be applied will make sure that a better response is provided to the risk areas. This will assist in enhanced management and control of the risks[6]. The ability to recover from the risks will also be provided to the organization in case of the occurrence of the risks.Each of these five functions is mapped with the categories and sub-categories that may be used by the organizations to further streamline the process. For instance, the risk identified in the initial step may be assigned to the categories as legal risks, ethical risks, quality risks, resource risks, project-related risks, and likewise. These identified risk categories may have sub-categories, for example, project-related risks may be assigned to the sub-categories as schedule risks, budget risks, policy risks, customer risks, stakeholder risks, and communication risks. The security risks on the information sets may also be classified in the sub-categories as network security risks, system risks, insider threats, etc. The organization will be able to design and implement the controls on the basis of the risk categories and sub-categories resulting in higher success rates.Periodic Independent Cybersecurity IT AuditsIt is necessary to carry out periodic independent cybersecurity IT audits to ensure that the steps that are taken for risk management and control are effective in nature.The conduction of these IT audits will make sure that the areas that may be required to be improved upon are identified and highlighted. For instance, in order to deal with the network-based security attacks, the organization may be using outdated network-based intrusion detection and prevention system[7]. The IT audit will determine the need to update the tools and equipment being used in the process of risk handling and the other areas of improvement will be identified as well. The IT audits will also analyse the gaps in the resource skills that may require improvements and the measures to be taken to address the same will also be listed.The conduction of the periodic audits will ensure that the overall improvements in the integrated cybersecurity risk handling and control is implemented.Assessment of Risks in Cloud-based EnvironmentVendor Risk Management FrameworkThere is a defined process that shall be used in the managing the risks associated with the vendors. There are four steps that shall be included in the vendor risk management framework. The four steps have been listed below.Vendor Risk Management FrameworkThe first step that shall be followed in the development of vendor risk criteria for the third-party cloud providers. The risk criteria shall be defined and must be based upon the areas as operational risks, data privacy risks, transactional risks, compliance risks, procurement risks, legal risks, and regulatory risks[8]. Vendor information management shall be done by analysing the vendor qualification, market performance, contract management procedure, customer support services, policy, and procedure management. The vendor risk analysis shall be done by following the process as risk universe management, risk identification, risk prioritization, and risk scoring. The assessment of the vendor on the basis of the information collected shall be done. The assessment process shall be qualitative and quantitative in nature.The monitoring of the risks shall be done by carrying out the control tests and scoring along with the use of Key Performance Indicators (KPIs). These KPIs may be based upon the areas as services, costs, schedule, resources, terms & conditions, and policies. The SWOT analysis shall be done to determine the control process and monitoring activities being carried out followed by the closure of the risks.The process of vendor risk management will make sure that the third-party cloud provider that is selected for the organization is as per the needs of the organization.Potential Risks & Audit Strategies Evaluation & Selection of Third-party Cloud ProviderThe potential risks that may come up in the process of the selection of the third-party cloud provider may be legal risks, procurement risks, communication issues, security risks, and market-related risks.The cloud provider may not comply with certain legal policies and standards which may result in legal obligations for the organization. The contractual and procurement process used with the cloud-provider may result in differences in the terms of services. There may be issues around the availability of the two parties for communications which may bring up the gaps in the understanding of the requirements. There may be issues with the security strategies and policies used by the third-party cloud provider. The changes in the market scenarios and status may bring up the issues of changes in the price for service and technological modifications[9].The audit strategies that are followed and applied in the process must make use of the vendor risk management process as documented above. The strategies shall also focus upon the use of automated tools for analysing the market conditions and scenarios. The performance of the vendor in the market will provide an overview of the possible risks that may emerge. The IT auditor must also take assistance from a legal representative. The legal assistance will ensure that the legal policies and standards are adhered to. The use of qualitative and quantitative strategies shall be done to determine the impact levels. The control processes and strategies shall be designed accordingly.Root Cause Analysis in Investigating a Data BreachFactors that Contributed to Data BreachA recent case of data breach has occurred in Nordstrom which is an American company of luxury department stores. The company has its headquarters in Seattle and a spokesperson of the company reported that data breach occurred resulting in the exposure of private and sensitive employee information. Co-President Blake Nordstrom circulated an email to the employees of the organization on November 7, 2018 to inform them about the information breach that took place.The factors that contributed to the breach were the access provided to the contract worker on the sensitive information sets that resulted in the exposure of the information. It indicates the lack of adequate governance and control along with the gaps in the security controls that were used in the organization[10].Applying Root Cause Analysis to Identify Primary CauseThe application of the root cause analysis will be done in this case by gathering the evidence as a primary step. The employees of Nordstrom, senior management, contract workers, and other stakeholders will be interviewed so that the potential causes resulting in the breach could be identified. The analysis of the control and governance measures along with the system analysis will be done to determine the nature of the security controls being used in the organization. The evidence-based analysis will be done to understand the probable causes that may have contributed to the event in the areas as people, system, technology, and governance. Once the initial evidences will be gathered, the problem statement will then be prepared describing the nature of the event, location of the event, impact of the event, and the probable causes of the event. Cause-and-effect analysis will then be done to identify the primary and secondary causes of the problem[11]. The results will then be mapped with the event and a final report will be prepared describing the root cause of the issue.Recommendations to Avoid the Problem in FutureThe following recommendations will be made to make sure that a similar problem does not occur in the future.All of the data and information sets associated with the organization shall be encrypted using the advanced encryption algorithms, such as triple data encryption standard, advanced data encryption standard, and hashing algorithms.The use of multi-fold authentication measures shall be used for identity control of the users and employees of the organization. There shall be use of one time passwords and biometric recognition systems for identity management.The use of automated security tools and controls shall be increased covering the integration of the systems and databases with anti-malware tools, anti-denial tools, firewalls, intrusion detection, and prevention systems.The access control and user permissions shall be revised and must be assigned on the basis of the user role. Attribute and role-based access control mechanisms shall be promoted.The physical security of the organization shall be enhanced with the use of automated security controls.IT audits and reviews shall be conducted as a part of regular procedure. ReferencesBlackhurst, J.V., Kevin, P.S. and Danny J.J., Supplier Risk Assessment And Monitoring For The Automotive Industry (2008) 38(2) International Journal of Physical Distribution & Logistics ManagementCerniglia-Lowensen, J., Learning From Mistakes And Near Mistakes: Using Root Cause Analysis As A Risk Management Tool (2015) 34(1) Journal of Radiology NursingDesmond, C., Project To Plan For Significant Process Change (2016) 44(2) IEEE Engineering Management ReviewErshadi, M.J., Roozbeh A. and Shirin K., Root Cause Analysis In Quality Problem Solving Of Research Information Systems: A Case Study (2018) 24(2) International Journal of Productivity and Quality ManagementFochmann, M. and Marcel H., Strategic Decision Behavior And Audit Quality Of Big And Small Audit Firms In A Tendering Process [2015] SSRN Electronic JournalHumberto, M.M., Jorge, F.G. and Georges, T., Change And Stability Interaction Processes In Smes: A Comparative Case Study (2013) 26(2) Journal of Organizational Change ManagementMalhotra, Y., Cybersecurity & Cyber-Finance Risk Management: Strategies, Tactics, Operations, &, Intelligence: Enterprise Risk Management To Model Risk Management: Understanding Vulnerabilities, Threats, & Risk Mitigation (Presentation Slides) [2015] SSRN Electronic JournalSabillon, R., A Practical Model To Perform Comprehensive Cybersecurity Audits (2018) 9(1) Enfoque UTEStroud, R., Vendor Risk Management Using COBIT 5 (2014) 50(1) EDPACSDavis, J., Nordstrom Data Breach Exposes Employee Information Security Today (2018) Security Today
Recent Comments