Application Risk Management

Many large and medium sized businesses have the interesting problem of understanding and inventorying the various applications in use across diverse regions and departments. Without this clear understanding of how these applications are being used, who owns them, what type of data is stored inside, and the management of each application, CIOs and management’s ability to assess risks are greatly handicapped.

How to Manage Application Risk

Here are a few steps to get moving in the right direction:

1. Application Inventory: First, management has to have an accurate inventory of the applications in use throughout the organization as well as a few basic details. I usually inspect various system listings, perform interviews, and observe the applications themselves to paint a clear picture of the Company’s application environment.

Pro-Tip: IT Operations may be able to assist with building an accurate Application Inventory. IT management applications and platforms such as Microsoft SCCM, ManageEngine, McAfee ePolicy Orchestrator and Symantec Endpoint Protection Manager are all capable of collecting and exporting application usage statistic for the organization.

App Risk 1

2. Risk Score:Once you have a clear picture of all of the applications in your environment you can develop a risk scoring system. I typically try to think through the different factors that may create risk in each application, assign a weighted score, and enter the relevant data. If you are tech savvy you can even automate this process.

App Risk 2

3. Project Selection: Not that you have a full inventory of applications and understand the associated risk of each application you can use this information to drive project selection and the dedication of internal resources and budget.

Am I missing anything? How are you managing application risk?

5 thoughts on “Application Risk Management

  • Landesk is another very interesting option for IT Management and may allow your support teams to collapse a couple functions into one solution.

    I’ve never had much luck with any McAfee has put out, but experiences vary.

  • As an auditor, I look to strong Information Security or Data Retention programs as a good source of application information. Some IS groups will have identified the information you noted above. That information is typically used to determine frequency and depth of access reviews or vulnerability scanning. The data retention policy can also give you insight into the significance of the application using the data.

    One area we have always struggled with are the spreadsheet or database “applications” used in business areas. These are the Excel documents or Access databases used to create GL entries or drive other significant processes. These “applications” tend to fly under the radar and are difficult to find. But they can be equally as important, if not more so, than the established desktop/web applications. This requires partnering with your financial or operational auditors to round out your inventory.

    • A few years ago when I was working in IT Managed Services, I worked on a Desktop Transformation project for a client that had literally HUNDREDS of custom “apps” built in Excel and Access.

      Apart with the issue of Visual Basic portability from one version of Office to the next, another issue they had was verifying the that the output and internal processes within the custom program logic was always correct!

      These custom “Apps” are an auditor and IT manager’s nightmare! Indexing and managing an inventory of them was extremely manual and tedious. We ended up having the department heads all manage them in a sharepoint list and using a SQL SSIS package to pull the data into our main database.

  • Another way to assess application risk is to get a list of all change management records. Which apps fail the most? Which apps have the most users? Which apps get updated the most and have the most emergency changes?

    • I really like this suggestion especially if the company keeps centralized change management records! Added complexity when your company is siloed, operates in business units, or across platforms.

Leave a Reply