Managing Software Lifecycle Risk

Risk management is not about risk elimination: risk is something that is a part of everyday life and must be managed, but there is still a part of uncertainty.

Risk Assessment: Systematic method of identifying the assets of a data processing system, the threats to those assets, and the vulnerability of the system to those threats.

Risk Management: Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analyzing, evaluating, treating, monitoring and reviewing risk.

Source: ISO-IEC-27000:201

Risk Factors

  • Asset value: what are we protecting? Is it critical? Is it sensitive?
  • Threats: internal and external threats, including on purpose and accidental. Threats is anything that could go wrong, including the fact that we could loose key employees, or that the business process could change.
  • Vulnerabilities: weaknesses or gaps, missing controls or lack of testing that allowed that threat to go undetected and create a real problem.

Causes of Lifecycle Risk

  • Business Risk:
    • Changes to business requirements
    • Need to adapt quickly
    • Staffing challenges
    • New regulations
  • Technical Risk:
    • Technology becomes outdated or unsupported
    • Hard to maintain
    • Unable to support new functionality
    • Technology may fail causing business interruptions

Risk Response

Hopefully we are able to detect, evaluate and mitigate the risk. But sometimes we will found unmitigated risks.

Once we found a risk, we can decide one of the following:

  • Avoid risk: turn off the risky functionality
  • Accept risk: accept to bear the consequences if the risk is exploited
  • Mitigate/reduce risk: use new or additional controls
  • Transfer risk: outsource it, or pass it to an insurance

Risk Monitoring

We need to continuously monitor risks: what was once secure may be inadequate now.

Monitoring includes network, transactions, access controls and configuration.

Residual Risk and the Risk Register

It is impossible to be have 0 risk. There will always have what is called residual risk. There are also unresolved risk that we know we want to resolve at some point. Those are saved in the risk register so they can be tracked.

The risk register tracks all our known-risk and can therefor give us a risk profile. This profile helps us determine if this is an acceptable level of risk to management in today’s world or not.

Going Forward