• Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
  • Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
BLOG

What is IT Risk Management? A Complete Guide

12/11/2019

As your company embraces its digital transformation strategy, you’re increasing your reliance on cloud services providers (CSPs). With more vendors accessing your information, you increase the complexity of your enterprise risk management program. A compromised vendor doesn’t even need to be a company with whom you do business.

In addition to third-party vendors, fourth or fifth party service providers who experience a data breach can leave your organization’s information vulnerable to malicious actors. Understanding information risk management and how to mitigate these risks can be the first step to protecting yourself and your customers.

What is information risk?

Information risk is a calculation based on the likelihood that an unauthorized user will negatively impact the confidentiality, integrity, and availability of data that you collect, transmit, or store. More specifically, you need to review all data assets to ensure:

  • Confidentiality: Establish and enforce appropriate authorization controls so that only users who need access have access
  • Integrity: Establish and enforce controls that prevent changing information without data owner permission
  • Availability: Establish and enforce controls that prevent systems, networks, and software from being out of service

What is information technology (IT) risk management?

IT risk management, also called “information security risk management,” consists of the policies, procedures, and technologies that a company uses to mitigate threats from malicious actors and reduce information technology vulnerabilities that negatively impact data confidentiality, integrity, and availability.

Why is IT risk management important?

By identifying and analyzing potential vulnerabilities with an enterprise IT network, organizations can better prepare for cyber attacks and work to minimize the impact of a cyber incident, should it occur. The procedures and policies implemented with an IT risk management program can help guide future decision-making about how to control risk while focusing on company goals.

What are the steps in the IT risk management process?

Critical steps that organizations engaging in an IT risk management (IRM) program need to perform include: identifying the location of information, analyzing the information type, prioritizing risk, establishing a risk tolerance for each data asset, and continuously monitoring the enterprise’s IT network.

Breaking down these 7 steps further shows how they are relevant for an effective IT risk management program:

1. Identify potential points of vulnerability

Conceptually, identifying the locations where your data resides seems simple enough. Most organizations start with their databases or collaborative applications. However, as more companies embrace cloud-first or cloud-only strategies, data becomes more dispersed and vulnerable to cyber threats.

Organizations no longer solely store data in on-premises servers. Many now use serverless or other cloud-based storage locations such as shared drives. Additionally, many organizations collect data in new ways such as via customer-facing web portals. New data transmission channels, such as email and messaging services, also change how organizations share information with internal and external stakeholders.

Cloud-based data collection, transmission, and storage locations pose a higher risk of theft because organizations often lack visibility into the effectiveness of their controls. Thus, server hardware in an on-premises location may be a lower risk than a cloud-based server. When engaging in an information risk assessment, you need to identify the myriad of locations and users who “touch” your information.

2. Analyze data types

Not only do you need to know where your data resides, but you also need to know what data you collect. Not all types of data are created equally. Personally identifiable information (PII) includes data such as name, birth date, social security number, or even IP address. Since malicious actors often target PII because they can sell it on the Dark Web, the information is a high-risk asset.

Meanwhile, you also store low-risk information, such as marketing copy. If malicious actors obtain a copy of a blog post, for instance, they can’t sell that online.

Identifying the types of data your organization stores and aligning that to the locations where you store your information act as the basis for your risk analysis.

3. Evaluate and prioritize the information risk

Now that you’ve reviewed all data assets and classified them, you need to analyze the risk. Each data asset type resides in a particular location. You need to determine how the risk each poses overlaps and impacts the potential for a malicious actor to attack. The best way to do this is to calculate:

Risk Level = Likelihood of a data breach X Financial impact of a data breach

For example, a low-risk data asset, such as marketing copy, may be in a high-risk location such as a file-sharing tool. However, the financial impact on your company if a malicious actor steals the information is minimal. Thus, this might be categorized as low or moderate risk.

Meanwhile, a high-risk data asset, such as a consumer medical file, in a moderate risk location, such as a private cloud, would lead to a large financial impact. Thus, this would almost always be considered a high risk to your organization.

4. Set a risk tolerance and establish IT risk management processes

Setting your risk tolerance means deciding whether to accept, transfer, mitigate, or refuse the risk. An example of a control for transferring risk might be purchasing cyber risk liability insurance. An example of a control for mitigating risk might be to put a firewall in place to prevent access to the location where the data resides.

Mitigating controls, such as firewalls or encryption, act as roadblocks for malicious actors. However, even mitigating controls can fail.

5. Mitigate existing risks

Along with establishing risk management processes, you will want to establish mitigation techniques for the risks identified as beyond the risk tolerance. These controls include mitigation processes such as firewalls, data encryption, data backups, keeping hardware up to date, and putting in place multi-factor authentication controls.

6. Leverage a data security solution

To reduce the burden on internal teams, it’s recommended to invest in a data security solution for critical risk scenarios. Investing in data security solutions can decrease the potential of internal threats by keeping access to data in the hands of security professionals.

7. Continuously monitor your risk

Malicious actors never stop evolving their threat methodologies. As companies get better at identifying and protecting against new ransomware strains, malicious actors have responded by focusing more on cryptocurrency and phishing. In other words, today’s effective controls might be tomorrow’s weaknesses.

What are the best practices for information risk management?

An effective IT risk management program should use a combination of different policies and strategies, as attacks can come in many forms and what works for one data asset might not be successful for another. However, there are overarching actions that all organizations can take to begin strengthening their cybersecurity posture. Most importantly, it is imperative that enterprise security teams have continuous monitoring in place to ensure that cybersecurity efforts are keeping up with the evolving threat landscape.

Here are 3 best practices for managing your organization’s IT risk management program:

1. Monitor your IT environment

Continuously monitoring your IT environment can help your organization detect weaknesses, and help you prioritize your remediation activities.

For example, many organizations struggle with cloud resource configuration. News reports often mention “AWS S3” buckets. These public cloud storage locations are not inherently risky, but a failure to appropriately configure them leaves them open to the public, including attackers. Continuously monitoring your IT environment can help detect misconfigured databases and storage locations to better secure information.

2. Monitor your supply stream

Third-party vendor risk mitigation also acts as an important part of your IT risk management strategy. While you can control your vendors, you may not be able to assert the same contractual obligations against their vendors. As part of your holistic information risk management strategy, you need visibility into the cybersecurity posture across your ecosystem.

For example, if your vendor’s vendor uses a cloud database and stores data as plain text, then your information is at risk. Continuously monitoring your supply stream for encryption, a way to make the data unreadable even if an attacker accesses it, provides visibility into your ecosystem’s cyber health.

3. Monitor compliance

As data breaches command more new headlines, legislative bodies, and industry standards organizations have released more stringent compliance requirements. Several new laws such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the New York Stop Hacks and Improve Electronic Data Security (NY SHIELD) Act require continuous monitoring as part of a compliance cybersecurity program.

To create a compliant IT risk management program, you need to be monitoring and documenting your activities to provide assurance to internal and external auditors. As you continuously monitor your enterprise’s IT ecosystem, you need to prioritize remediation actions and document your activities, providing your auditors proof of governance.

How SecurityScorecard enables IT risk management

SecurityScorecard’s security ratings platform provides continuous insight into the effectiveness of your IT risk management program. Our platform collects publicly available information from across the internet and then correlates that information for insight into ten factors, including IP reputation, DNS health, web application security, network security, leaked credentials, hacker chatter, endpoint security, and patching cadence.

Using an easy-to-read A-F grading system, SecurityScorecard’s platform provides at-a-glance visibility into an organization’s holistic cybersecurity posture, drilling down to the individual factors. These ratings help organizations view their strengths and their weaknesses so that they can prioritize their IT risk management strategies.

SecurityScorecard also includes capabilities for third-party risk management to help manage supply stream information risk more effectively. The platform incorporates portfolio creation so that you can review vendor risk by the individual vendor, cohort, or industry. These capabilities alert you to potential risks so that you can communicate with vendors to better secure your information.

With the right IT risk management program, organizations can confidently analyze and manage their networks – including those of their vendors and service providers – mitigate risks and vulnerabilities, and stay ahead of threat actors.

Return to Blog
Join us in making the world a safer place.
FREE ACCOUNT SIGN UP
Products
Solutions
Customers
Marketplace
Partners
Resources
Company
Trust Portal
Security Ratings
Login
Blog
Contact
Careers

SecurityScorecard
Tower 49
12 E 49th St
Suite 15-100
New York, NY 10017

[email protected]

United States: (800) 682-1701
International: +1(646) 809-2166
Social-linkedin Social-facebook Twitter Instagram Youtube