3.2.1 Managing IT Risks
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 | Status: In-Force |
Principle
IT Risk Management process should be defined, approved, implemented, communicated and aligned to the Member Organization's Enterprise Risk Management process, including the identification, analysis, treatment, monitoring and review of IT risks at appropriate intervals.
Control Requirements
| 1. | IT risk management process should be defined, approved, implemented and communicated. | |
| 2. | The effectiveness of the IT risk management process should be measured and periodically evaluated. | |
| 3. | IT risk management process should be aligned with the Member Organization's enterprise risk management process. | |
| 4. | IT risk management process should clearly address the following sub processes, including but not limited to: | |
| a. | risk identification, analysis and classification; | |
| b. | risk treatment; | |
| c. | risk reporting; and | |
| d. | risk monitoring and profiling. | |
| 5. | IT risk management process should address Member Organization's information assets, including but not limited to: | |
| a. | business processes and related data; | |
| b. | business applications; | |
| c. | infrastructure components; and | |
| d. | Third party relationships and associated risks. | |
| 6. | IT risk management process should address Member Organization's people aspect (i.e. permanent staff, contractual employees, third party). | |
| 7. | IT risk management process should be initiated at, but not limited to: | |
| a. | an early stage of the program and project implementation; | |
| b. | prior to initiate critical and major changes to the information assets; | |
| c. | the time of outsourcing services; and | |
| d. | prior to procuring of new systems, tools and emerging technologies (i.e. Distributed Ledger Technology (DTL), Robotic Process Assurance (RPA)etc.) | |
| 8. | Existing information assets should be subject to periodic IT risk assessment based on their criticality such as: | |
| a. | all mission critical and critical information assets should be assessed at least once a year; and | |
| b. | non-critical information assets should be assessed based on their importance to the business. | |
| 9. | IT risk management activities should involve the following stakeholders, but not limited to: | |
| a. | business owners and users; | |
| b. | IT departmental/functional heads; | |
| c. | technical administrators; and | |
| d. | cyber security specialists. | |
| 10. | The Member Organization's should develop and implement IT risk response (i.e. avoid, mitigate, transfer and accept) and control strategies that are consistent with the value of the information assets and member organizations risk appetite. | |
| 11. | IT key risk indicators (KRIs) should be defined, implemented and monitored. | |