An interesting site with blogs about IT audit and security
Risk3sixty refers to itself as providing “insights on information risk management, cybersecurity, IT Audit, and Information Assurance”. Christian Hyatt is the lead author and his posts are typically quite short (unlike some of mine).
One caught my eye: “Application Risk Management”, from April of this year. It suggests three steps:
- Build an application inventory
- Assess the level of risk for each application
- Select projects
In such a short post, it is impossible to be anything but high level, possibly even simplistic. However, let me point out a couple of issues.
- In these days of cloud and mobile, it can be incredibly difficult to get a handle on all of the applications used by management across the enterprise to make decisions, process transactions, and so on. Any inventory you build is likely to be out of date within the month.
- The level of risk should be assessed based on the potential for a failure (of or relating to the application) to affect the operation of the business and achievement of enterprise objectives.
Expanding on the latter point, is it better to build the risk assessment based on an inventory of applications (which is a ‘bottoms-up’ approach) or by taking each enterprise objective and considering whether a failure in an application would have a significant effect (which is a ‘top-down’ approach)?
My personal view is to place more attention on the latter, but I can understand the desire to supplement it with a bottoms-up approach.
As Christian asks: how do you assess risk relating to applications?
I welcome your comments.