IT Risk Management Survey

IT Risk Management has become an important aspect of corporate governance in recent years. As a result, IT & Security groups in organizations are often subject to global and local regulations.

MetricStream in association with CSC is surveying industry professionals in various IT Risk & Security functions to better understand how their respective organizations are managing IT Risk.

This survey will take less than 10 minutes to complete. Thank you for taking the time to participate in this survey, and contributing your thoughts to this important topic.

Question Title

* 1. Please provide your email address (official email IDs only) below if you wish to receive the final report of the survey results, as well as be entered into a contest where 3 lucky respondents will receive either an Amazon or Starbucks gift worth $50 USD.

Please provide your email address (optional):

Question Title

* 2. Which of the functional areas cited below are in the purview of your organization’s IT risk management program?

Information Security Risk

IT Compliance

IT Operations Risk

IT Project Risk

Third Party Risk Management

Business Continuity / Disaster Recovery

Policy Compliance

Data Loss / Breach / Incident Management

Privacy

Other (please specify)

Question Title

* 3. How many formal risk assessments are conducted at your organization over a one year period?

0-25

25-100

100+

Question Title

* 4. How big is your IT risk team?

1-10 employees

10-25 employees

25-50 employees

50+ employees

Question Title

* 5. Is your IT Risk Management Program integrated with your Enterprise/Operational Risk Management Program?

Yes

No, but integration is planned in the near-term

No, and we do not have plans to integrate the programs

Question Title

* 6. Please rank the primary drivers in terms of the importance for your IT Risk Management program (Rate on a scale of 1 – 5, with 1 being least important and 5 being most important)

	1	2	3	4	5
Compliance with Legal and Regulatory Requirements	Compliance with Legal and Regulatory Requirements 1	Compliance with Legal and Regulatory Requirements 2	Compliance with Legal and Regulatory Requirements 3	Compliance with Legal and Regulatory Requirements 4	Compliance with Legal and Regulatory Requirements 5
Enterprise Risk Management	Enterprise Risk Management 1	Enterprise Risk Management 2	Enterprise Risk Management 3	Enterprise Risk Management 4	Enterprise Risk Management 5
Board Mandate	Board Mandate 1	Board Mandate 2	Board Mandate 3	Board Mandate 4	Board Mandate 5
Information Security Risk Management	Information Security Risk Management 1	Information Security Risk Management 2	Information Security Risk Management 3	Information Security Risk Management 4	Information Security Risk Management 5
Audit Requirements	Audit Requirements 1	Audit Requirements 2	Audit Requirements 3	Audit Requirements 4	Audit Requirements 5

Question Title

* 7. Which international standards and frameworks have you adopted in your organization’s Risk Management Program? (Please select all that apply)

NIST 800.30

ISO 27005

Risk IT / COBIT

Internally Developed

Other (please specify)

Question Title

* 8. Which of these would your risk management program perceive to be the biggest risk right now for your enterprise? – (Rate on a scale 1-5, with 1 being least important and 5 being most important)

	1	2	3	4	5
Data Loss / Breaches	Data Loss / Breaches 1	Data Loss / Breaches 2	Data Loss / Breaches 3	Data Loss / Breaches 4	Data Loss / Breaches 5
Cloud	Cloud 1	Cloud 2	Cloud 3	Cloud 4	Cloud 5
BYOD / Mobile	BYOD / Mobile 1	BYOD / Mobile 2	BYOD / Mobile 3	BYOD / Mobile 4	BYOD / Mobile 5
Social Media	Social Media 1	Social Media 2	Social Media 3	Social Media 4	Social Media 5
Big Data	Big Data 1	Big Data 2	Big Data 3	Big Data 4	Big Data 5
Vendors / Third Parties	Vendors / Third Parties 1	Vendors / Third Parties 2	Vendors / Third Parties 3	Vendors / Third Parties 4	Vendors / Third Parties 5
Other (please specify)	Other (please specify) 1	Other (please specify) 2	Other (please specify) 3	Other (please specify) 4	Other (please specify) 5

Question Title

* 9. What is your current approach to Risk Management?

GRC Solutions

Standalone Risk Management Tool (COTS)

Document Management System

Internally developed tool

Manual / Spreadsheets and Documents

None of the above

Other (please specify)

Question Title

* 10. How well are your objectives covered by the Technology supporting your Risk Management Program?

Fully (90-100%) - Risk Management program is completely automated with a well-integrated solution mapping to corporate strategy / approach

Mostly (70-89%) - Risk Management program is automated, but not mapped to overall corporate strategy / approach

Partially (50-69%) - Risk management program is automated for a majority of the tasks, but still has a manual dependency to raise issues and alerts.

Limited (20-49%) - Risk management is manually managed, automation is being piloted in siloes

Inadequate (0-19%) - Risks are managed through data maintained in offline spreadsheets and is not integrated at an enterprise level.

Question Title

* 11. What specific content and integrations do you currently leverage or subscribe to support your Risk Management Program?

Unified Compliance Framework (UCF)

Threat feeds (ex. iDefense)

Regulatory Alerts

Integrate vulnerability Assessment data (e.g.: from Qualys, Nessus, Rapid7 etc.)

Integrate data from SIEM, DLP, IDS etc.

None of the above

Other (please specify)

Question Title

* 12. Do you plan to adopt or upgrade your IT Risk Management technology within the next 12 months?

Yes, a decision has been made and is being implemented

Yes, an adoption or upgrade is being planned and budgeted

An adoption or upgrade is desired, but we do not currently have the budget

No adoption / upgrade is currently planned

No, we are satisfied with our current solutions

Question Title

* 13. Where does the IT Risk function currently reside within your organization? Check all that apply.

Audit

Compliance

Operational / Enterprise Risk

Other (please specify)

Question Title

* 14. . Are there plans to change the functional group where the IT Risk function resides within your organization over the next 12 months?

Yes

Question Title

* 15. How involved is your senior management, board or board committee in establishing or policies on IT risk oversight and management?

Deeply involved

Involved at a high level

Not involved

Not sure

Additional Comments