[BreachExchange] The next step for information risk management

[Audrey McNeil]

http://computer.financialexpress.com/news/the-next-step-for-information-risk-management/16077/

SME owners along with CEOs of large enterprises today are losing sleep over
information security concerns, despite investing heavily on technology to
ensure better business performance. However, these technology investments
are being made in the interest of innovating and accelerating the impact of
technology for their customers rather than to protect the data itself. The
compliance and security teams often approach their CFOs to set aside
budgets required to strengthen the companies’ security and compliance
programs. However, owing to the CFO’s risk-averse nature, they mostly focus
on the business and the bottom line.In view of this, the next step towards
information risk management would be for the CFOs to bring innovative ideas
to the table to help their companies remain competitive.

Corresponding to that, CFOs are required to bring the facts into focus for
the CEOs to take interest in risk management decisions. However, it is to
be noted that these steps are not quick or easy. The CFOs and CEO need to
identify all the assets that contain or transmit the information they are
trying to protect.It could be anything from a Personal Identification
Information (PII), Protected Health Information (PHI), Payment Card
Information (PCI), or any other proprietary or sensitive information
important to the business. These information assets not only include
application but the ‘media’ that contains those applications, such as
servers, back-up tapes, desk tops, laptops, and thumb drives.

Following that would be the identification of threats to those assets which
encompass facets including environmental factors like Floods, Lighting and
fire; Structural like infrastructure or software failure; Accidental like
uninformed or careless users and Adversarial like hackers, malicious
insiders. Furthermore,identification of the vulnerabilities of those assets
is the next significant step. For example, no data backup, no encryption,
weak passwords, no remote wipe, no surge protection, no training, no access
management, no firewalls, no business continuity plans and so on.

Taking informed decisions on risk treatment involves isolating all
combinations of assets, threats to those assets and the vulnerabilities
that might be exploited. Absence of these three aspects indicates that
there is no risk to the information of the company. However, this is just
the nascent stage or initial steps towards information risk management.
Determining the likelihood of each threat exploiting the vulnerabilities
follows the suite.The subsequent steps could be relatively harder as it
lacks specific data to support a calculable likelihood. Tackling the issue,
some companies use simple high, low and medium ranking, but there are
various other metrics that need to be factored in to access likelihood
like, industry breach statistics, data-type breach statistics, data loss
statistics by cause, industry complaint statistics, the breach and/or
complaint history of one’s own organization, and the details of any
security or privacy incidents.

Apart from determining the likelihood of the threats exploiting the
vulnerabilities, enterprises need to generate a risk-list, with high impact
risk at the top and low impact risk at the bottom and everything else in
between. Once the list is in place, the CISOs, CFOs, CEOs and all other
C-suites need to congregate and belt out solutions and determine the cost
of all risks.
In a nut shell, continuous evaluations and re-evaluations of risks that a
company faces, is a good practice. Although time, energy and commitment are
some of the most important pre-requisites for such practices, one has to
agree that ongoing vigilance has its own rewards. Apart from mitigating
huge business costs, it also saves the companies immense reputational
damage that could stem out of data breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160225/6c59cbe7/attachment-0001.html>