"The golden middle way is, in many instances, the perfect solution for managing the IT risk",> explains Peter Weissenberger, head of IT Consulting at Kapsch BusinessCom. "When the costs that might cause a system failure are lower than the cost of protection, then IT security overshoots its target. To determine how far individual departments rely on specific systems, we analyse each sub-area of the company in the course of our consulting processes. The standardised CRISAM procedure is used for this. This method makes it possible to obtain a detailed picture of the status quo - and deficits - of the IT infrastructure and IT processes".

Unsecured IT worsens the balance sheet
The main argument in favour of a properly protected IT infrastructure is the possible reduction in costs it offers. A good IT rating has a positive effect both on insurance costs and on credit interest. The CRISAM (Corporate Risk and IT Security Application Method) rating procedure used at Kapsch BusinessCom is based on the rating approach of Standard & Poor’s (S&P). Instead of assessing the risk as a gut feeling, this method provides a differentiated benchmark of the information technology in terms of availability, reliability, data integrity and legal conformity. A main strength of the CRISAM method is that IT services such as ERP, e-mail, Office and the Internet are evaluated department by department. Only this detailed way of looking at things produces a realistic estimate of the possible amount of damage. Because, while a failure of the e-mail system may only have minor consequences in some departments, it can lead to huge costs in others.

The evaluation in the CRISAM method is carried out with the same rating codes as used in the finance sector: AAA stands for excellent protection with the best technologies currently available. At the other end of the scale, CCC indicates a high overall risk. The primary yardstick for the evaluation is the "state of the art". This describes the minimum security level that the company must have in order to attain an “Investment Grade” rating (minimum BBB). If the IT infrastructure falls below this, only a "Speculative Grade" (BB, B, CCC) is considered - which has a negative effect on costs.

Approach according to the CRISAM method
The CRISAM method, which is used by the experts of Kapsch BusinessCom, describes a six-step process that enables a detailed analysis of the existing IT infrastructure. Firstly, a binding security policy is defined based on the company’s strategic objectives. The next step involves identifying the business processes covered by this policy and relating them to the existing IT system. This is followed by a realistic estimation of the security risk, together with employees of the company. The results of these analyses flow into a detailed risk tree, which finally produces the overall rating of the company. This system also enables deficits to be evaluated by IT systems and departments. Once the differences between the target and actual situations have been identified, measures are defined to close these gaps. In the final step of the CRISAM method, these measures are incorporated into concrete projects, prioritised according to importance and implemented - if the customer wishes, with Kapsch BusinessCom as an experienced partner.

"IT risk management is primarily a task for higher management", emphasises Peter Weissenberger. "This is because the tasks performed by IT in companies nowadays often have the character of production plants - if IT stands, so does the day-to-day business. Each manager who looks at his company from this perspective will understand the economic significance of IT risk management",> concludes Weissenberger.