How to estimate sanctions risks for an IT landscape of the organization? Seven simple steps
Sanctions against Russia and the separate domestic organizations opened serious vulnerability and forced to speak aloud about dependence of all industries of domestic economy on foreign producers. And if consumer goods can rather easily be substituted (including by change of some foreign suppliers with others), then with information technologies a situation absolutely other – nothing to substitute, as a rule. Whether it is possible to estimate threats of foreign sanctions for an IT landscape of the enterprise? The director of the department of development and consulting of IBS Levon Hachatryan in the material prepared for TAdviser suggests to consider a set of simple steps which will allow to understand how sanctions will influence your organization, and without delay to take measures.
We for some reason attended to a question of import substitution only after sanctions from the countries which are the main producers and suppliers of information technologies. Also it is necessary only to guess, how further this situation will become complicated: whether will prohibit sale of technologies whether will limit support of technologies or will just complicate procedures of their acquisition and import in the Russian Federation.
Let's put, the equipment really mostly can be replaced with analogs from the Russian and Asian producers. Quality and compatibility of these analogs – a big question for the separate article. But how to be with the software? The idea to use freely extended by software causes in experts only laughter: the location of free cheese is known long ago.
To use freely distributed software, it is necessary to create at least in Russia competence centers on this software.
Some of my colleagues began infinite process of search of the substituting technologies. Process is infinite because, I will repeat, to substitute the software there is nothing. Others are convinced that sanctions will not concern them.
Meanwhile, instead of waiting of a thunder in the form of toughening of sanctions or restrictions for use of import information technologies, there is a set of simple steps which will allow to estimate how sanctions will influence your organization and to take measures already now.
The first step: Structuring IT landscape
As the first step it is necessary to carry out structuring and updating of information on the information technologies used in the organization. Action is simple especially as most the organizations in this or that type already has this information. The simplest and clear is not hierarchical structure in the following section:
- Platforms of the application software.
- System software.
- Computing infrastructure.
- Telecommunication infrastructure.
- Software of jobs of users.
- Equipment of jobs of users.
- Office equipment.
The second step: Formation of risks for IT landscape components
Further it is necessary to create the list of the risks connected with sanctions. For risks it is possible to enter numerical coefficients of the importance. Examples of some risks are listed below:
- Restrictions (prohibition) on use of import technologies from regulators of the Russian Federation.
- Import ban of technologies in the Russian Federation (sanction).
- Termination of technical support.
- Theft of information.
The third step: Assessment of threats for IT landscape components
It is possible to carry out quality standard of threats for IT landscape components (for example, "No", Low, Average, High), but then all selected qualitative criteria need to appropriate numerical values.
Let's enter for assessment of threats for components the parameter of Shopping mall which value will be to equally maximum value of threat for a component. In our case Tk can accept value in the range [0;3].
The fourth step: Risks probability assessment
As it is about sanctions, the risks probability can be estimated by determination of belonging of producers of information technologies to these or those countries, for example:
- No – for the Russian Federation or freely distributed software.
- Low – producers from the countries which did not join sanctions and entering into political and economic blocs with the Russian Federation.
- Average – producers from the countries which did not join sanctions, but not entering into political and economic blocs with the Russian Federation.
- High – producers from the countries which joined sanctions (the USA, EU countries, etc.).
As well as on the previous step, we appropriate to all qualitative criteria of probability numerical values.
Let's enter for risks probability assessment for components the Pk parameter which value will be to equally maximum value of a risk probability for a component. In our case Pk can accept value in the range [0;3].
The fifth step: Risks assessment for components
Numerical value of risk for each component will be performing threat for this component and a risk probability for this component:
Rk = Tk x Pk,
where Rk is risk for a component, can accept value in the range [0;9].
The priority fields of reaction are components with Rk = 9.
The sixth step: Risks assessment of applied applications
Now, when we have a risks assessment of components of an IT landscape, we need to estimate risks for applied applications.
For this purpose we will define degree of criticality of applications in our organization. Degree of criticality can be estimated ekspertno (crucially – not crucially), but such way usually leads to long discussions of experts. Therefore it makes sense to enter 5–6 criteria of criticality and to appropriate them numerical values. Examples of some criteria of criticality are given below:
- Use of the application in primary activity of the organization (it is not used – 0, it is used – 1).
- Share of the staff of the organization using the application (less than 30% – 0, more than 30% – 1).
- The importance of information (opened – 0, confidential – 1).
Let's enter for assessment of criticality of the application the parameter of SPP which value will be equal to the amount of numerical values of criteria of criticality. In our example SPP can accept value in the range [0;3].
Numerical value of risk for the application is the work of criticality of the application and the amount of risks of all components of an IT landscape which uses this application.
Rpp = SPP x Rk,
where Rpp is risk for the applied application; Rk is the amount of risks of components which uses this application.
It is reasonable to use Rpp value for comparison of applications in the organizations and determinations of the most vulnerable in terms of the risks connected with sanctions.
The seventh step: Choice of strategy of a risk response
Now, when we have a risks assessment for applied applications and for IT landscape components, we need to create the list of strategy of a risk response. Examples of some strategy are listed below:
- Failure from further development (fixing of the version).
- Replacement to the supporting organization by the Russian.
- Transition to the Russian analog.
- Use of an analog from other country.
- Local certification with participation of vendor.
- Development of own solution.
- The redemption is right for independent development.
To a target status with the acceptable level of risks for applied applications and components of an IT landscape gives a set of strategy allowing to reduce values of risks in our example.
For broader picture we will consider use of the described approach on an example.
Let's say a certain applied application in our organization uses the following components of an IT landscape:
№ | List of components | Threat for components (Tk) (3 – high, 0 - is absent) | |||
Restrictions (prohibition) on use of import technologies from regulators of the Russian Federation | An import ban of technologies in the Russian Federation (sanction) | The termination of technical support | Theft of information | ||
1. | The software platform from the Russian vendor | 0 | | 0 | |
2. | DBMS of production of the USA | 3 | | 3 | |
3. | Server operating system of production of the USA | 3 | | 3 | |
4. | The server from the Taiwan vendor | 1 | | 1 | |
Further, we will define a risks probability for all components:
№ | List of components | Producer | Risks probability (Pk) |
1. | Software platform of the Russian production | Russian Federation | |
2. | DBMS of production of the USA | USA | |
3. | Server operating system of production of the USA | USA | |
4. | The server from the Taiwan vendor | Taiwan | |
On a formula Rk = Tk x Pk we calculate value of risks for components:
№ | List of components | Threat (Tk) | Probability (Pk) | Risk (Rk) |
1. | Software platform of the Russian production | 0 | | |
2. | DBMS of production of the USA | 3 | | |
3. | Server operating system of production of the USA | 3 | | |
4. | The server from the Taiwan vendor | 1 | | |
Let's define criticality of the application for our organization on the basis of our criteria:
- The application is used in primary activity.
- Share of the staff of the organization using the application – less than 30%.
- The application is used for processing of confidential information.
Thus, criticality of the application of SPP = 2.
On a formula Rpp = SPP x Rk we calculate value of risk for the application:
Rpp = 2 x (0 + 9 + 9 + 1) = 38.
Let's create the list of actions for IT landscape components with high risks from our example. The list of actions should be directed to risk reduction for a component, and should cover the period of 3-5 years taking into account information technology development in Russia for this period.
№ | List of components | Risk (Rk) | Strategy |
1. | Software platform of the Russian production | 0 | |
2. | DBMS of production | 9 | 1. Failure from further development (fixing of the version) And |
3. | Server operating system of production | 9 | 1. Failure from further development (fixing of the version) And |
4. | The server from the Taiwan vendor | 1 |
Apparently from this article, there is a list of steps, quite acceptable for any Russian organization, which will allow to estimate influence of sanctions on information technologies at the organizations and to take certain measures for protection of the technologies, and, eventually, business.
It is prepared with assistance of IBS
See Also
- Import substitution of information technologies in Russia
- Import substitution of the software in a public sector
- Import substitution of ADP equipment and microelectronics
- "Expensively, but it is inevitable": As the Russian IT companies estimate import substitution perspectives
- Import substitution in the field of information security
- Import substitution of information technologies: 5 Pro and 5 Contra
- Import substitution in state companies
156