Managing Information Risk

Managing Information Risk: A Director's Guide

STEWART MITCHELL
Copyright Date: 2009
Published by: IT Governance Publishing
Pages: 57
https://www.jstor.org/stable/j.ctt5hh3rh
  • Cite this Item
  • Book Info
    Managing Information Risk
    Book Description:

    Information risk is endemic in any modern organisation. From the potential for losing sensitive information to a full-system crash that incapacitates the company, the consequences can be disastrous. Information risk management is a method of assessing information threats and taking actions to minimise the chances of risks becoming a reality. With properly implemented security controls based on risk assessment, you could stop your company from having to suffer huge financial or reputational fallout. This pocket guide addresses the scope of risks involved in a modern IT system, and outlines strategies for working through the process of putting risk management at the heart of your corporate culture. The guide draws on the work of the US National Institute of Standards and Technology, together with UK government white papers and interviews with board-level risk management practitioners.

    eISBN: 978-1-84928-019-8
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 1-4)
  2. PREFACE
    (pp. 5-6)
  3. ABOUT THE AUTHOR
    (pp. 7-7)
  4. Table of Contents
    (pp. 8-9)
  5. INTRODUCTION
    (pp. 10-12)

    Information is critical to every large enterprise, yet its mission-critical importance is all too often overlooked – until something goes wrong.

    Information risk management is a method of assessing information threats, which can be anything from a burst pipe flooding your server room to someone leaving a laptop on the train, and taking actions to minimise the chances of risks becoming reality.

    The reasons for managing information risk are many. Properly implemented security controls sparked by a risk assessment could save huge financial or reputational fallout.

    A 2008 cybercrime report by McAfee suggests that globally businesses lose $1 trillion a...

  6. CHAPTER 1: MANAGING RISK
    (pp. 13-18)

    The key to managing risk is understanding that whatever the security controls your organisation puts in place some level of risk is inevitable. The following chapters help identify, evaluate and quantify the risks, but at all stages of the risk assessment and control framework, managers need to be considering just what level of risk is acceptable for any given threat. Given the potential costs of an IT systems security breach, assessing ‘risk tolerance’ is a board-level consideration.

    After each threat and risk is assessed and the cost-benefits of mitigating a risk have been established, directors need to decide how to...

  7. CHAPTER 2: INFORMATION RISK POLICY
    (pp. 19-20)

    As priority, directors should draw up an information risk policy to help steer the organisation, key security staff and information owners towards a more secure landscape. There is a ‘Checklist for Directors’ drawn up by the National Archives in Appendix 1 highlighting the various areas for consideration.

    In March 2009, the UK government published itsGuidance on the Department Information Risk Policybased on generic guidance set out by CESG and published in ISO27002. The paper states that the foundations for good information risk management lie in forward planning, and management should expect at least the following criteria to be...

  8. CHAPTER 3: THE RISKS
    (pp. 21-25)

    Before deciding how to deal with the risks associated with your business’s computer and information systems, it is important to consider the breadth of those risks. It is not simply a case of ensuring a virtual perimeter as many of the risks are born from cultural issues or involve factors beyond your control. The National Archives guidanceManaging Information Riskdocuments many of the risks that directors need to consider in assessing the impact a system failure or breach could have on their organisation. The following chamber of horrors is but a sample of the potential pitfalls.

    These are the...

  9. CHAPTER 4: RISK MANAGEMENT FRAMEWORK
    (pp. 26-29)

    The process of information risk management should be applied at every stage of a project’s life cycle – in fact, it is cheaper and more efficient to undertake the work during the design stage than to retrofit the mitigation at a later date.

    Whether the risk management programme is for a new project or not, there are several key stages that need to be addressed, and this is best done using some sort of information risk governance framework or risk management framework.

    Though directors are ultimately accountable for the protection of the organisation’s information, the entire organisation needs to work...

  10. CHAPTER 5: RISK ASSESSMENT
    (pp. 30-37)

    A risk assessment is essential in forming a clearer picture of how external and internal threats could impact on your organisation, how severe and how likely those threats are and how well your organisation is already prepared.

    There are many process possibilities for conducting a risk assessment, but a good starting point for directors is the NIST’s guidance in SP 800-30. The Institute identifies nine stages of the information risk assessment process, starting with a review of the existing or proposed system and ending with a commitment to monitor the system on an ongoing basis.

    By defining the scope of...

  11. CHAPTER 6: RISK MITIGATION STRATEGY
    (pp. 38-41)

    Armed with an understanding of the risks and recommended controls, senior management will want to know when and how to take action; this comes down to prioritising the threats and assembling an arsenal of control weapons to make it harder for risk sources to attack a vulnerability. Some risks, where loss is too great to contemplate, require immediate remedial action, while others require turning existing measures up a notch, or ensuring existing policies are being followed.

    Directors can protect their assets and themselves by choosing strong and relevant security controls for their information systems, and the first stop involves baseline...

  12. CHAPTER 7: CONTROLS
    (pp. 42-43)

    The full range of controls possible are beyond the scope of this pocket guide (there’s an exhaustive list in NIST SP 800-30), but should include technical, management and operational controls. Implemented correctly, they can prevent or at least deter threat source damage to your company’s business practices and reputation.

    Software and hardware based controls can protect against outside hackers, but can also be used to secure the internal systems from staff by insisting that files downloaded to removable storage are encrypted, or by blocking unauthorised personnel from certain files. They can both prevent and detect security violation, either internal or...

  13. CHAPTER 8: INTERACTING WITH PARTNERS AND SUPPLIERS
    (pp. 44-46)

    The world is fully connected and it’s impossible not to interact digitally with partners, suppliers and, often, customers. Yet those partners present a very real threat to your business. How frustrating, if you have undertaken all the necessary risk management, only to see the house of cards knocked over by a clumsy partner with sloppy security.

    It’s a problem that’s mushrooming as digital handshakes become the norm. According to the Ponemon Institute’s 2008Cost of a Data Breachreport, since 2005 the percentage of incidents where a third party, such as a consultant, was responsible for a data breach has...

  14. CHAPTER 9: STANDARDS
    (pp. 47-48)

    Standards offer guidelines for directors and IT staff that help ensure that all bases are covered. Although not necessarily a regulatory requirement, membership and accreditation of such schemes are often welcomed by partners to offer assurance that your systems risk strategy is up to scratch.

    Even if your company chooses not to submit to the accreditation process, they can still be used as a framework to double-check the processes outlined in this pocket guide have been met to at least baseline standards.

    The main national and international standards relevant to information risk mitigation include, but are not limited to:

    ISO/IEC...

  15. APPENDIX 1: CHECKLIST FOR DIRECTORS
    (pp. 49-51)
  16. APPENDIX 2: ESTABLISHING AN INFORMATION RISK TSAR
    (pp. 52-52)
  17. FURTHER READING
    (pp. 53-54)
  18. ITG RESOURCES
    (pp. 55-57)