Out-Law / Your Daily Need-To-Know

Managing risk in technology projects demands overview of business and consumer issues, says UK cyber agency

04 Feb 2015, 11:52 am

Public sector bodies and their IT suppliers must weigh factors such as the importance of organisational assets and services, their reputation and consumer privacy when deciding what steps to take to manage risk inherent in the use of new technologies, a UK cyber security agency has said.

The UK government’s National Technical Authority for Information Assurance (CESG) said weighing up such factors can help public sector organisations and their supply chain understand what risks they can accept and what steps they need to take to manage them.

"Organisations cannot develop without taking risks," CESG said in new guidance on technology and information risk management (22-page / 1.04MB PDF). "Technology and information risk is not just about avoidance and mitigation; the pursuit and acceptance of risk creates opportunities and can help deliver business objectives."

CESG said that risk management is not something an organisation can carry out once when implementing new technology and then forget about.

Because organisational needs, the IT security threat environment and technology and information security vulnerabilities change over time, "risk management needs to happen throughout the lifecycle of a system or service", it said. Management of risk should be "informed by a realistic view of risk and a clear understanding of the organisation and its objectives", CESG said.

The agency also warned public sector bodies and their suppliers that they cannot make IT teams solely responsible for technology and information risk management. It said everyone in an organisation has a role to play in managing such risks.

"Risk management decisions should be objective and informed by an understanding of risk," the CESG guidance said. "They should not be made in isolation but on a basis of understanding how individual decisions affect the wider business, and what it is trying to achieve."

"Organisations should decide for themselves what risk management decisions need to be made to support the delivery and operation of a system or service, and could include: the authorisation of expenditure to design a system or service; the authorisation of expenditure to build, test, install, run decommission a system or service; the approval to use information, a system or a service during the test, install, run, and decommission stages of a system or service lifecycle," it said.

"The right people need to make decisions at the right time, with the right advice and support. They need to be empowered by the organisation and have the right business, technology, security knowledge and skills to enable informed and objective decisions," CESG said.