3.2 IT Risk Management
IT Risk Management is a continues process of identifying, analyzing, responding, monitoring, and reviewing risks related to IT from process, technology and people perspectives. In order to manage IT risks, Member Organizations should continually identify, assess and reduce IT risks within levels of tolerance set by the Member Organization's senior management.
3.2.1 Managing IT Risks
Principle
IT Risk Management process should be defined, approved, implemented, communicated and aligned to the Member Organization's Enterprise Risk Management process, including the identification, analysis, treatment, monitoring and review of IT risks at appropriate intervals.
Control Requirements
1. IT risk management process should be defined, approved, implemented and communicated.
2. The effectiveness of the IT risk management process should be measured and periodically evaluated.
3. IT risk management process should be aligned with the Member Organization's enterprise risk management process.
4. IT risk management process should clearly address the following sub processes, including but not limited to:
a. risk identification, analysis and classification;
b. risk treatment;
c. risk reporting; and
d. risk monitoring and profiling.
5. IT risk management process should address Member Organization's information assets, including but not limited to:
a. business processes and related data;
b. business applications;
c. infrastructure components; and
d. Third party relationships and associated risks.
6. IT risk management process should address Member Organization's people aspect (i.e. permanent staff, contractual employees, third party).
7. IT risk management process should be initiated at, but not limited to:
a. an early stage of the program and project implementation;
b. prior to initiate critical and major changes to the information assets;
c. the time of outsourcing services; and
d. prior to procuring of new systems, tools and emerging technologies (i.e. Distributed Ledger Technology (DTL), Robotic Process Assurance (RPA)etc.)
8. Existing information assets should be subject to periodic IT risk assessment based on their criticality such as:
a. all mission critical and critical information assets should be assessed at least once a year; and
b. non-critical information assets should be assessed based on their importance to the business.
9. IT risk management activities should involve the following stakeholders, but not limited to:
a. business owners and users;
b. IT departmental/functional heads;
c. technical administrators; and
d. cyber security specialists.
10. The Member Organization's should develop and implement IT risk response (i.e. avoid, mitigate, transfer and accept) and control strategies that are consistent with the value of the information assets and member organizations risk appetite.
11. IT key risk indicators (KRIs) should be defined, implemented and monitored.
3.2.2 Risk Identification and Analysis
Principle
Information assets should be identified, recorded and maintained to gather information about related threats, existing controls and associated risks should be analyzed based on their likelihood of occurrences and resulting impact.
Control Requirements
1. IT risk identification should be performed, documented and periodically updated in the formal centralized risk register.
2. IT risk register should be regularly updated.
3. IT risk analysis should address the following, but not limited to:
a. information asset description and classification;
b. potential threat(s) to the information asset;
c. impact and likelihood;
d. existing IT controls;
e. risk owner (business or process owner);
f. implementation owner (control owner); and
g. inherent as well as residual risks related to the information assets.
3.2.3 Risk Treatment
Principle
IT risks associated with the Member Organization's information assets should be adequately treated based on the applicable criteria (i.e. accepted, avoided, transferred or mitigated).
Control Requirements
1. IT risk treatment plan should be defined, approved and communicated.
2. IT risk treatment plan should be implemented and periodically evaluated.
3. IT risks should be treated according to the Member Organization's risk appetite defined by the relevant governance function owner and approved by the ITSC.
4. IT risk treatment plan should include detail design and implementation of required controls to mitigate the identified risks.
5. IT risk treatment plan should ensure that the list of risk treatment options are formally documented (i.e. accepting, avoiding, transferring or mitigating risks by applying IT controls).
6. Risk acceptance should be least preferred over risk mitigation through implementation of primary controls.
7. Accepting IT risks should be formally documented, approved and signed-off by the business owner and reported to the risk committee, ensuring that:
a. risk acceptance should be provided with detail justification including but not limited to the following:
1. impact (i.e. operational, financial and reputational) of not implementing the primary control(s); and
2. compensating control(s) in place of primary control(s) for risk mitigation.
b. the accepted IT risk should be within the risk appetite of the Member Organization;
c. the accepted IT risk should not contradict with the SAMA regulations;
d. a separate exception should be documented for each unique risk;
e. risk acceptance should be renewed periodically; and
f. Risk acceptance should be presented and reported to the risk committee.
8. Avoiding IT risks should involve a decision by a business owner and risk committee to cancel or postpone a particular activity or project that introduces an unacceptable IT risk to the business.
9. Transferring or sharing the IT risks should:
a. involve sharing the IT risks with relevant (internal or external) providers; and
b. be accepted by the receiving (internal or external) provider(s).
10. Applying IT controls to mitigate IT risks should include:
a. identifying appropriate IT controls;
b. evaluating the strengths and weaknesses of the IT controls;
c. selection of adequate IT controls; and
d. documenting and obtaining sign-off for any residual risk by the business owner and risk committee.
11. IT risk treatment actions should be documented in a risk treatment plan.
3.2.4 Risk Reporting/ Monitoring, and Profiling
Principle
IT risks should be treated according to the defined treatment plans and should be effectively reviewed, monitored and reported.
Control Requirements
1. IT risk assessment results should be formally documented and reported to the relevant business owners and senior management.
2. IT risk assessment results should include risks, impact, likelihood, mitigations, and remediation status.
3. IT risks should be monitored, including but not limited to:
a. tracking progress in accordance to the risk treatment plan; and
b. the selected and agreed IT controls are being implemented.
4. The design and operating effectiveness of the revised or newly implemented IT controls should be monitored and reviewed periodically.
5. The relevant business owners should accept the IT risk assessment results.
6. IT risk assessment results should be endorsed by the risk committee.
7. IT key risk indicators (KRIs) should be defined, implemented and monitored.
8. IT risk profile and related data should be provided as an input to operational risk department to formulate an organization level risk profile.
9. IT risk profile should be formulated and presented to the senior management, IT Steering Committee and board of directors on periodic basis.