part 1. We use ITIL
Cyber resilience is an integral quality of business in modern realities. To achieve it, it is necessary not only to implement modern technologies, new products and solutions, but also to competently manage internal and external processes. IT methodologies help in this – in particular, ITIL and COBIT.
My name is Olga Ageshina, I am an IT consultant at Innostage, and I will talk about how popular IT methodologies can be applied in IS, and I will also analyze their implementation in specific processes using an example. In this article, we will focus on ITIL, and in the next I will analyze COBIT.
Contents
About the methodology
ITIL (Information Technology Infrastructure Library) is a set of best practices and recommendations in the field of information technology management, designed to optimize IT service delivery processes. The methodology is focused on the creation of standards and approaches that allow organizations to effectively manage their IT infrastructure, services and processes.
The purpose of the methodology is to provide organizations with comprehensive and comprehensive guidance for managing IT in the modern service economy.
The process of IT risk management through ITIL on the example of a specific company
The ITIL risk management process aims to identify, analyze and manage risks related to IT services and infrastructure to minimize their negative impact on the business.
For our case, let’s take a conventional company from the financial sector, for example, a medium-sized bank. Recently, businesses are facing an increasing number of incidents related to unpredictable IT risks, such as cyber-attacks, hardware failures and software bugs. These incidents led to significant financial losses and undermined customer confidence.
We need to implement a structured risk management process based on ITIL to improve the identification, assessment and management of risks related to IT infrastructure and services.
Step 1. Identification of risks
First, you need to create a comprehensive register that includes all possible IS risks related to IT infrastructure, data and services. There are two ways to do this:
-
Brainstorming with representatives from all key departments, including IT, security, finance and legal.
-
Tools for systematic identification of internal and external risks, such as SWOT analysis and PEST analysis.
What risks can there be?
-
Cyber attacks. These include phishing, malware attacks, and DDOS attacks.
-
Insider threats are caused by employee actions that are intentional (eg, espionage) or unintentional (eg, sending confidential information to the wrong recipient).
-
Breach of data privacy. Leakage of personal data of customers or compromise of financial information.
-
Software vulnerabilities: This includes, for example, zero-day vulnerabilities.
-
Misuse of access rights: excessive rights of random users, use of weak passwords, lack of multi-factor authentication (MFA), which increases the risk of unauthorized access.
-
Risks associated with suppliers and partners – this vector of attacks has been actively growing recently.
-
Violation of cybersecurity and data protection legislation. This includes, for example, non-compliance with Decree No. 250 of the President of the Russian Federation on import substitution of software at KII facilities.
As a result, we get a complete and comprehensive register of risks, which will help in the development of strategies for their minimization.
Step 2. Risk assessment
For each identified risk, we will conduct an assessment that includes:
-
Probability assessment – How often each risk can occur.
-
Impact assessment — possible consequences of business risks, including financial, reputational and legal.
Creating a risk matrix will allow the company to determine which risks are the most critical and require immediate attention.
Risk |
Probability |
Influence |
|
Phishing attacks |
High |
Average |
Common and can lead to data leakage or malware installation. Financial and reputational losses can be significant. |
Malicious software |
High |
High |
Widespread and can lead to significant financial losses, data leakage and system disruption. |
DDoS attacks |
average |
High |
Not so frequent, but can significantly disrupt the availability of services, which will lead to losses and reputational damage. |
Malicious actions of employees |
low |
High |
They happen less often, but can have devastating consequences for the financial and reputational stability of the company. |
Unintentional actions of employees |
average |
Average |
Employee errors are quite common and can lead to data leaks or system failures. |
Leakage of personal data of customers |
average |
High |
Often, especially in the financial sector, serious legal and reputational consequences can result, as well as significant fines. |
Compromise of financial information |
average |
High |
Leakage of financial information can lead to serious financial and reputational losses. |
Vulnerabilities in software |
low |
High |
They are rare, but their use can lead to significant system damage and data leaks. |
Improper privilege management |
average |
Average |
May lead to data leaks or security breaches, causing financial and reputational losses. |
Weak authentication and authorization |
average |
High |
An authentication vulnerability could allow attackers to gain access to critical systems and data. |
Risks related to suppliers and partners |
average |
Average |
Suppliers can be the source of data breaches or other incidents affecting the company. |
Violation of regulatory requirements |
low |
High |
Failure to comply can result in large fines and legal consequences, with significant reputational damage. |
This assessment allows you to identify priority risks that should be addressed first.
Step 3. Development and implementation of risk management measures
There are four main measures to manage risk:
-
Avoidancethat is, eliminating risks by changing processes or technologies. For example, refusal to use outdated systems with known vulnerabilities.
-
Decrease. Implementing additional security measures, such as improving authentication systems, regularly updating software, and improving employee training.
-
Transfer. Using insurance and outsourcing to reduce financial losses from certain risks.
-
Adoption. Acceptance of risks that cannot be avoided or reduced to an acceptable level.
Let’s consider measures for some of the risks that we assessed in the previous paragraph.
Phishing attacks
To reduce the risk, it is necessary to implement employee training programs on cyber security, use anti-phishing filters in the mail and conduct regular phishing tests.
Malicious software
We reduce the risk by using anti-virus software and threat detection tools. We regularly update software and monitor file downloads on domain machines.
Unintentional actions of employees
Almost 80% of IS incidents are caused by the human factor, so this risk is relevant for all companies. We reduce due to regular cyber exercises, we introduce additional control procedures. You can also automate routine processes to reduce errors.
Risks related to suppliers and partners
Innostage SOC CyberART experts spoke of a two-fold increase in attacks through the “contractor compromise” vector in the first half of 2024 compared to the same period last year.
Risk can be reduced through regular audits of suppliers and the use of service level agreements. Cyber security validation of the contractor’s processes may also be required, for example through bug bounty programs or open cyber trials.
Acceptance of risk
Some risks, such as rare zero-day vulnerabilities or rare occurrences of critical system failures, can be accepted if they are considered minimal and the cost of mitigating them is not justified.
These measures will allow the company to more effectively manage IT risks, minimizing their impact on business and increasing the level of protection of information systems and data.
Step 4. Monitoring and reporting
To ensure constant risk control, we will implement a monitoring system that includes:
-
Regular audits and checks of the effectiveness of the measures taken.
-
Use of key performance indicators to assess the effectiveness of risk management.
-
Regular reporting to company management and stakeholders.
Based on this, we get a list of tools that need to be implemented in our business.
Security Event and Information Management (SIEM) systems, to enable central monitoring and correlation of security events.
Vulnerability Management systems to regularly scan the IT infrastructure for vulnerabilities and manage their elimination.
Security incident management systems to organize an effective response to incidents and minimize their consequences, providing structure and reporting.
These three classes of tools will provide a basic level of protection, monitoring and risk management. Once implemented, the toolbox can be expanded to include solutions such as IRP or SOAR to automate tool response or IAM to manage access and privileges.
The risk management process is not static and needs continuous improvement. For this:
-
regular reviews of the risk register and risk matrix are conducted.
-
changes in the business environment and technological landscape are taken into account.
-
incident response procedures and risk mitigation measures are being improved.
The results
Any process within the company must be evaluated in qualitative and quantitative metrics. For our situation, performance indicators will be, for example, the number of IS incidents and financial losses from them. A qualitative metric can be the awareness of employees about the risks, which can be assessed based on the results of testing or training checks for conditional phishing.
In this material, I tried to analyze in detail how one of the key IT processes is implemented in the company based on the ITIL methodology. Soon we will release the second material – about the COBIT methodology and its features of use. In the meantime, I am ready to answer your questions and comments — and discuss how relevant ITIL is for IT processes.