Five steps to building information risk management frameworks

Deploying technology may be easier than changing how employees think, or instilling the rigor of process within organizations, but it may not be very effective by itself. In this tip, we'll cover five steps that any organization can utilize to build a framework for mitigating business risk.

Step 1: Understand and define your information risk universe
To develop a comprehensive information risk management (IRM) framework, CISOs must first define their responsibilities. For example, Forrester Research's framework consists of 17 domains that span people, processes and technology. But defining these domains by themselves will be useless unless each domain has appropriate controls to ensure confidentiality, integrity and availability of information.

Step 2: Determine confidentiality, integrity and availability requirements
Not all areas of a business require the same level of protection. Contractual obligations and legislative mandates may determine business controls for some organizations, but for many others, informed judgment calls in conjunction with partners in line-of-business jobs is necessary. When assessing the criticality of a function, answer these three questions:

Step 3: Define your controls
The role of a security office has expanded considerably over the past few years. CISOs are now responsible for areas such as business continuity, disaster recovery and compliance. There are related areas that the CISO is not directly responsible for, such as physical security, applications development and IT operations, but t

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance and Governance Digest Red Flags Rule compliance How AML compliance applies to remote deposit capture Tokenization and PCI compliance Data governance and classification The PCI compliance case for source code review Identity management for financial firms in turbulent times PCI DSS: Best practices for compliance Red Flag Rules compliance demands a risk-based approach Understanding the impact of new state data protection laws Understanding the FFIEC remote deposit capture guidance Risk management frameworks, metrics and strategy Controls monitoring helps with governance, risk and compliance An advancement in GRC Advocacy group looks to foster trust in foreign service providers Using an information security council Information security governance using a risk-based approach Security on the street with SearchFinancialSecurity.com: Risk management Strategic metrics for information security at financial services firms Metrics don't truly quantify information risk Rethinking risk management for financial services firms Outlining governance frameworks Site Highlights Banks scramble to boost online security Black Hat 2007: For financial firms, availability too often trumps security Insuring compliance: Nationwide tackles GLBA

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

hese functions have huge implications on the overall security of information assets. CISOs need to monitor and measure the security controls in all of these business groups to be able to do their jobs effectively. CISOs should employ a framework-based approach to identify and measure these areas in order to track their progress over time.

Step 4: Develop enforcement, monitoring and response mechanisms
An IRM framework must ensure that these controls are defined, enforced, measured, monitored and reported. For areas where these controls may not sufficiently mitigate the risk, CISOs must ensure that those risks are reduced, transferred or accepted.

Step 5: Measure and report
In a recent survey, Forrester found that the majority of security metrics programs are still in their infancy or planning phases. The respondents cited two main challenges in developing their metrics programs: finding the right metrics and translating the security metrics into business language.

A lot of security managers are focused on gathering and reporting tactical and status update information. To develop a successful security metrics program, CISOs need to identify, prioritize, monitor and measure security based on business goals and objectives. They should then focus on translating those measurements into business language that can be of use to executive management when making strategic business decisions.

The enormity of the effort and struggle to find the right metrics for their organizations overwhelmed many of the CISOs we surveyed. Today, most organizations have good security policies and appropriate technologies and processes to enforce them. There are some monitoring and response capabilities, but a vast majority of organizations today don't have good security measurement capabilities. Measuring and reporting adherence to security policies is a critical component of your security program and should never be underestimated or overlooked.

Khalid Kark is a principal analyst at Forrester Research. His research focuses on information risk management strategy, governance, best practices, measurement, and reporting. He can be reached at kkark@forrester.com.

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.