Information Risk Management
Life is full of risk.
Risk is the possibility of damage happening, and the ramifications of such damage should it occur. Information risk management (IRM) is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. There is no such thing as a 100-percent secure environment. Every environment has vulnerabilities and threats to a certain degree. The skill is in identifying these threats, assessing the probability of them actually occurring and the damage they could cause, and then taking the right steps to reduce the overall level of risk in the environment to what the organization identifies as acceptable.
Risks to a company come in different forms, and they are not all computer related. When a company purchases another company, it takes on a lot of risk in the hope this move will increase its market base, productivity, and profitability. If a company increases its product line, this can add overhead, increase the need for personnel and storage facilities, require more funding for different materials, and maybe increase insurance premiums and the expense of marketing campaigns. The risk is that this added overhead might not be matched in sales; thus, profitability will be reduced or not accomplished.
When we look at information security, note that a corporation needs to be aware of several types of risk and address them properly. The following items touch on the major categories:
Physical damage Fire, water, vandalism, power loss, and natural disasters
Human interaction Accidental or intentional action or inaction that can disrupt productivity
Equipment malfunction Failure of systems and peripheral devices
Inside and outside attacks Hacking, cracking, and attacking
Misuse of data Sharing trade secrets, fraud, espionage, and theft
Loss of data Intentional or unintentional loss of information through destructive means
Application error Computation errors, input errors, and buffer overflows
Threats must be identified, classified by category, and evaluated to calculate their damage potential to the company. Real risk is hard to measure, but prioritizing the potential risks in order of which ones must be addressed first is possible.
Who Really Understands Risk Management?
Unfortunately, the answer to this question is that not enough people inside or outside of the security profession really understand risk management. Even though information security is “big business” today, the focus is more on applications, devices, protocols, viruses, and hacking. Although these items all must be considered and weighed in risk management processes, they should be considered small pieces of the overall security puzzle, not the main focus of risk management.
Security is now a business issue, but businesses operate to make money, not to just be secure. A business is concerned with security only if potential risks threaten its bottom line, which they can in many ways, such as through the loss of reputation and their customer base after a database of credit card numbers is compromised; through the loss of thousands of dollars in operational expenses from a new computer worm; through the loss of proprietary information as a result of successful company espionage attempts; through the loss of confidential information from a successful social engineering attack; and so on. It is critical that security professionals understand these individual threats, but it is more important they understand how to calculate the risk of these threats and map them to business drivers.
Knowing the difference between the definitions of “vulnerability,” “threat,” and “risk” may seem trivial to you, but it is more critical than most people truly understand. A vulnerability scanner can identify dangerous services that are running, unnecessary accounts, and unpatched systems. That is the easy part. But if you have a security budget of only $120,000 and you have a long list of vulnerabilities that need attention, do you have the proper skill to know which ones should be dealt with first? Since you have a finite amount of money and an almost infinite number of vulnerabilities, how do you properly rank the most critical vulnerabilities to ensure that your company is addressing the most critical issues and providing the most return on investment of funds?
This is what risk management is all about, and to organizations, corporations, and businesses across the world, it is more important than IDS, ethical hacking, malware, and firewalls. But risk management is not as “sexy” and therefore does not get its necessary attention or implementation.
Information Risk Management Policy
How do I put all of these risk management pieces together?
Response: Let’s check out the policy.
Proper risk management requires a strong commitment from senior management, a documented process that supports the organization’s mission, an IRM policy, and a delegated IRM team.
The IRM policy should be a subset of the organization’s overall risk management policy (risks to a company include more than just information security issues) and should be mapped to the organizational security policies. The IRM policy should address the following items:
The objectives of the IRM team
The level of risk the company will accept and what is considered an acceptable level of risk
Formal processes of risk identification
The connection between the IRM policy and the organization’s strategic planning processes
Responsibilities that fall under IRM and the roles to fulfill them
The mapping of risk to internal controls
The approach toward changing staff behaviors and resource allocation in response to risk analysis
The mapping of risks to performance targets and budgets
Key indicators to monitor the effectiveness of controls
The IRM policy provides the infrastructure for the organization’s security risk management processes and procedures and should address all issues of information security, from personnel screening and the insider threat to physical security and firewalls. It should provide direction on how the IRM team relates information on company risks to senior management and how to properly execute management’s decisions on risk mitigation tasks.
The Risk Management Team
Each organization is different in its size, security posture requirements, and security budget. One organization may have one individual responsible for IRM (poor soul) or a team that works in a coordinated manner. The overall goal of the team is to ensure the company is protected in the most cost-effective manner. This goal can be accomplished only if the following components are in place:
An established risk acceptance level provided by senior management
Documented risk assessment processes and procedures
Procedures for identifying and mitigating risks
Appropriate resource and fund allocation from senior management
Contingency plans where assessments indicate they are necessary
Security-awareness training for all staff members associated with information assets
The ability to establish improvement (or risk mitigation) teams in specific areas when necessary
The mapping of legal and regulation compliancy requirements to control and implement requirements
The development of metrics and performance indicators so as to measure and manage various types of risks
The ability to identify and assess new risks as the environment and company changes
The integration of IRM and the organization’s change control process to ensure that changes do not introduce new vulnerabilities
Obviously, this list is a lot more than just buying a new shiny firewall and calling the company safe.
The IRM team, in most cases, is not made up of employees with the dedicated task of risk management. It consists of people who already have a full-time job in the company and are now tasked with something else. Thus, senior management support is necessary so proper resource allocation can take place.
Of course, all teams need a leader, and IRM is no different. One individual should be singled out to run this rodeo and, in larger organizations, this person should be spending 50 to 70 percent of their time in this role. Management must dedicate funds to making sure this person receives the necessary training and risk analysis tools needed to ensure it is a successful endeavor.