Five steps to building information risk management frameworks

Deploying technology may be easier than changing how employees think, or instilling the rigor of process within organizations, but it may not be very effective by itself. In this tip, we'll cover five steps that any organization can utilize to build a framework for mitigating business risk.

Step 1: Understand and define your information risk universe
To develop a comprehensive information risk management (IRM) framework, CISOs must first define their responsibilities. For example, Forrester Research's framework consists of 17 domains that span people, processes and technology. But defining these domains by themselves will be useless unless each domain has appropriate controls to ensure confidentiality, integrity and availability of information.

Step 2: Determine confidentiality, integrity and availability requirements
Not all areas of a business require the same level of protection. Contractual obligations and legislative mandates may determine business controls for some organizations, but for many others, informed judgment calls in conjunction with partners in line-of-business jobs is necessary. When assessing the criticality of a function, answer these three questions:

• How confidential is the function? Assess the potential impact of a data breach for this function on your firm's overall business. For example, sanctions from the Federal Trade Commission (FTC) are often the least of a company's concerns; often times, companies pay a much heavier price in the loss of business reputation and ongoing litigation.
• Is the accuracy of this function's information relied on heavily? Next, assess the potential impact of data corruption, which can vary widely. For example, cases of customers receiving the wrong medication are more difficult to handle than customer support complaints.
• If this function is not there when needed, what are the consequences? Time is almost always money. You might not be worried about your instant message (IM) conversations being eavesdropped upon, but the company's Web site, which brings in $2 million a day, can't be threatened or knocked offline, even for a few minutes.

Step 3: Define ...

To read more you must become a member of SearchFinancialSecurity.com

As an existing member of the TechTarget network please activate your SearchFinancialSecurity.com account 

By joining SearchFinancialSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance and Governance Digest Seven GRC best practices for information security Shifting to a flexible information security framework Vendor contract management: Regulatory guidance is risk-based Vendor audit and monitoring contractual rights Data breach protection: Implementing vendor breach safeguards How to manage security risks in vendor contracts Red Flags Rule and preparing for new regulations Companies lagging in PA DSS compliance Social media: Risk management strategies for financial institutions FFIEC guidance on RDC: Guidance overview Risk management frameworks, metrics and strategy Vendor risk management: process and documentation How to manage security risks in vendor contracts Controls monitoring helps with governance, risk and compliance An advancement in GRC Advocacy group looks to foster trust in foreign service providers Using an information security council Information security governance using a risk-based approach Security on the street with SearchFinancialSecurity.com: Risk management Strategic metrics for information security at financial services firms Metrics don't truly quantify information risk Site Highlights Banks scramble to boost online security Black Hat 2007: For financial firms, availability too often trumps security Insuring compliance: Nationwide tackles GLBA

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Red Flags Rule (RFR)  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

your controls
The role of a security office has expanded considerably over the past few years. CISOs are now responsible for areas such as business continuity, disaster recovery and compliance. There are related areas that the CISO is not directly responsible for, such as physical security, applications development and IT operations, but these functions have huge implications on the overall security of information assets. CISOs need to monitor and measure the security controls in all of these business groups to be able to do their jobs effectively. CISOs should employ a framework-based approach to identify and measure these areas in order to track their progress over time.

Step 4: Develop enforcement, monitoring and response mechanisms
An IRM framework must ensure that these controls are defined, enforced, measured, monitored and reported. For areas where these controls may not sufficiently mitigate the risk, CISOs must ensure that those risks are reduced, transferred or accepted.

Step 5: Measure and report
In a recent survey, Forrester found that the majority of security metrics programs are still in their infancy or planning phases. The respondents cited two main challenges in developing their metrics programs: finding the right metrics and translating the security metrics into business language.

A lot of security managers are focused on gathering and reporting tactical and status update information. To develop a successful security metrics program, CISOs need to identify, prioritize, monitor and measure security based on business goals and objectives. They should then focus on translating those measurements into business language that can be of use to executive management when making strategic business decisions.

The enormity of the effort and struggle to find the right metrics for their organizations overwhelmed many of the CISOs we surveyed. Today, most organizations have good security policies and appropriate technologies and processes to enforce them. There are some monitoring and response capabilities, but a vast majority of organizations today don't have good security measurement capabilities. Measuring and reporting adherence to security policies is a critical component of your security program and should never be underestimated or overlooked.

Khalid Kark is a principal analyst at Forrester Research. His research focuses on information risk management strategy, governance, best practices, measurement, and reporting. He can be reached at kkark@forrester.com.

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.