Integrated Risk Management Initiative

Overview

The IT threat landscape for the Government of Canada (GC) is ever-changing – new threats emerge, destructive exploits proliferate, and our adversaries are always on the offensive. In order to maintain an effective public service in the face of rising risk, the GC proposes an IT Integrated Risk Management (IRM) program. Treasury Board of Canada Secretariat (TBS), defines IRM in Framework for the Management of Risk as “a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective”. The GC Digital Operations Strategic Plan for Information Management and Information Technology (IM/IT) 2017 to 2021 lays out the GC’s vision to have a centralized capability to conduct IRM management activities in order to gain a holistic picture of cyber-related business risks in the GC. A consolidated view of cyber risks is vital to enhance awareness of cyber threats and risks at the enterprise level. In addition, it supports strategic decision-making which contributes to the achievement of an organization's overall objectives.

The TBS proposes an IRM program that is aligned with the Canadian Centre for Cyber Security (CCCS)’s IT Security Risk Management Framework (ITSG-33), and is comprised of dedicated resources, purpose-specific technology, and integrated automated processes. IRM builds on and rebrands the umbrella term of Governance, Risk and Compliance (GRC).

Alignment with GC Enterprise Security Architecture

The GC Enterprise Security Architecture Description Document (ESADD) Annex D for Security Operations highlights the concept of risk identification and risk management, and the management of security-related risk to the GC Enterprise. IRM provides a platform to implement automation for the risk identification and management process described in this ESADD.

Departments currently manage IT security risks independently using their own set of disparate tools and methodologies. Every department must assess information system risk following the ITSG-33 methodology; however, each department has a different risk appetite, applies the methodology slightly differently and tracks it in various forms, including Word documents, Excel spreadsheets, Risk Registrars and other formats. The resulting departmental risk data exists in isolation and is not shared or viewable in an enterprise GC context. Results from recent audits and Management Accountability Framework (MAF) assessments have provided evidence of these inconsistencies and reinforced the need for the GC to work toward more standardized and consolidated cyber risk management.

GC IRM Vision

The GC IRM vision is to gain a holistic enterprise view of cyber risks by consolidating data feeds from multiple GC resources. An iterative and modular implementation approach is planned in order to develop competencies and data sources while expanding the organization’s view of cyber risk.

GC IRM Approach

To overcome the current challenges, the GC vision will focus on people, processes, and technology within an IRM program. At an operational level, the IRM program will require multiple, specialized resources to perform system administration, risk analysis support, process and enterprise data source onboarding, data warehouse management, and continuous risk monitoring. The program will work to automate business processes by developing use cases towards a federated model. It will also identify gaps and develop tools to assist departments in streamlining and standardizing their processes and reporting. The technical solution will help automate workflows and notifications in order to reduce dependence on manual processes and to drive consistency and trusted results into the enterprise systems IRM program. In its ideal end state, the IRM technical solution will recognize the interconnected nature of risk across the GC enterprise.

IRM Concepts

Gartner defines IRM as “a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks”. IRM is typically viewed in the context of a framework or suite of tools which enable a comprehensive approach to all governance and compliance functions within an organization, allowing it to create a standardized structure and take a risk-based approach to objectively prioritize activities across all functions and levels. There are many areas of risk that may be included in the IRM IT Security program. The traditional risk domains addressed by IRM platforms are illustrated in Notional IRM Suite diagram below.

The TBS IRM concept paper and entity relationship diagram focuses on IT Security IRM. Other areas of risk will be added at a later date. Key areas of IT security that contribute to the holistic view for the IT Security risks are captured in the High Level Entity Model Diagram below.

For more information about the IRM initiative, please refer to the GC IT IRM (GRC) Concept Paper, Entity Model - GC Integrated Risk Management Diagram and the Entity Model Lite - GC Integrated Risk Management Diagram.

References

• GC IT IRM (GRC) Concept Paper
• Entity Model - GC Integrated Risk Management Diagram
• Entity Model Lite - GC Integrated Risk Management Diagram
• GC, Guide to Integrated Risk Management
• GC, Digital Operations Strategic Plan 2018-2022
• Canadian Centre for Cyber Security, IT Security Risk Management: A Lifecycle Approach (ITSG-33), 2012
• GC, Framework for the Management of Risk
• GC, Enterprise Security Architecture Description Document (ESADD) - Annex D Security Operations, 2017.
• GRC/IRM IT Security Working Group