Implementing Risk Management Model in Medium-sized Organization

Abstract

This thesis was commissioned because the Risk Management Model was not in use in the organization IT department. It was found that what this requires from the organization is a critical entity and that it needs to be investigated. The problem that was solved is dealing with risks in the IT department to avoid bigger problems in the future and to keep critical assets secure. The scope of the work was limited to the operational risks of the IT department and what is needed to get the Risk Management up and running in the organization. This was solved by studying CISSP practices that are linked to the VAHTI Risk Management model, which is based on the ISO31000 Standard. This thesis does not deal with legal or regulatory requirements. This study also excludes Supply Chain Risk Management, project Risk Management and many others such as Threat modeling, even though they also apply to the IT department. This thesis also does not take a stand on quantitative or qualitative Risk Management or the calculation of the monetary value of an asset. One had to draw a line somewhere about what one could include here. The clearest findings are the low level of maturity of the entire organization in Cybersecurity matters, and these issues need to be trained, communicated, and clearly justified. At the end of the day, Risk Management is not just a matter for the IT department, it is an organization-wide issue, although perspectives and risks are different in different departments of the organization. The identification of critical assets and the lack of several policies slows down the implementation of these issues.