This tip is excerpted from Chapter 3 of The Definitive Guide to Security Inside the Perimeter, written by Rebecca Herold and published by Realtimepublishers.com. Read the entire e-book for free.
Define risks for your organization and within each of the business unit areas. What does legal consider as information risk? What do your privacy and compliance areas consider as information risk? What do your auditors consider as information security risk? What do information security leaders consider as risk? To be successful with a risk analysis and assessment, you need to first define organization-wide risks that exist within your environment and come to a consensus. The subsequent results of the risk analysis and assessment will then be more readily accepted as being applicable for your environment. When your coworkers participate in making security decisions, they feel ownership for the resulting actions that are implemented and are more likely to make a conscious effort for compliance.
The United States Office of Management and Budget (OMB) has identified 19 areas of information security risk, which are highlighted in the following list:
Schedule -- Risk associated with schedule slippages, either from lack of internal controls or from those associated with late delivery by vendors, resulting in missed milestones.
Initial costs -- Risk associated with "cost creep" or miscalculation of initial costs that result in an inaccurate baseline against which to estimate and compare future costs.
Life cycle costs -- Risk associated with misestimating life cycle costs, exceeding forecasts, and relying on a small number of vendors without sufficient cost controls.
Technical obsolescence -- Risk associated with technology that becomes obsolete before the completion of the life cycle, and cannot provide the planned and desired functionality.
Feasibility -- Risk that the proposed alternative fails to result in the desired technological outcomes; risk that business goals of the program or initiative will not be achieved; risk that the program effectiveness targeted by the project will not be achieved.
Reliability of systems -- Risk associated with vulnerability/integrity of systems.
Dependencies and interoperability between this investment and others -- Risk associated with interoperability between other investments; risk that interoperable systems will not achieve desired outcomes; risk of increased vulnerabilities among systems.
Surety (asset protection) considerations -- Risk associated with the loss/misuse of data or information; risk of technical problems/failures with applications; risk associated with the security/vulnerability of systems.
Risk of creating a monopoly for future procurements -- Risk associated with choosing an investment that depends on other technologies or applications that require future procurements to be from a particular vendor or supplier.
Capability of agency to manage the investment -- Risk of financial management of investment, poor operational, and technical controls, or reliance on vendors without appropriate cost, technical, and operational controls; risk that business goals of the program or initiative will not be achieved; risk that the program effectiveness targeted by the project will not be achieved.
Overall risk of project failure -- Risk that the project/investment will not result in the desired outcomes.
Project resources/financial -- Risk associated with "cost creep," miscalculation of life cycle costs, reliance on a small number of vendors without cost controls, or inadequate acquisition planning.
Technical/technology -- Risk associated with immaturity of commercially available technology and reliance on a small number of vendors; risk of technical problems/failures with applications and their inability to provide planned and desired technical functionality.
Business/operational -- Risk associated with business goals; risk that the proposed alternative fails to result in process efficiencies and streamlining; risk that business goals of the program or initiative will not be achieved; risk that the investment will not achieve operational goals; risk that the program effectiveness targeted by the project will not be achieved.
Organizational and change management -- Risk associated with organizational-, agency-, or government-wide cultural resistance to change and standardization; risk associated with bypassing, lack/improper use of, or non-adherence to new systems and processes because of organizational structure and culture; risk associated with inadequate training planning.
Data/information -- Risk associated with the loss or misuse of data or information; risk of compromise of citizen or corporate privacy information; risk of increased burdens on citizens and businesses because of data collection requirements if the associated business processes or project requires access to data from other sources (federal, state, and/or local agencies).
Security -- Risk associated with the security/vulnerability of systems, Web sites, and information and networks; risk of intrusions and connectivity to other (vulnerable) systems; risk associated with the evolution of credible threats; risk associated with the criminal/fraudulent misuse of information; must include level of risk (high, moderate, low) and what aspect of security determines the level of risk (for example, need for confidentiality of information associated with the project/system, availability of the information or system, or integrity of the information or system).
Strategic -- Risk associated with strategic- and government-wide goals; risk that the proposed alternative fails to result in achieving those goals or in making contributions to them.
Privacy -- Risk associated with the vulnerability of information collected on individuals or risk of vulnerability of proprietary information on businesses.
MULTI-DIMENSIONAL ENTERPRISE-WIDE SECURITY
Risk assessment and analysis methodologies
The goal of an information security policy
Audit and validation
Divide and conquer
An action plan
ABOUT THE AUTHOR:
| Rebecca Herold is currently an information privacy, security and compliance consultant, author and instructor with her own company, Rebecca Herold, LLC. Rebecca has provided information security, privacy and regulatory services to organizations from a wide range of industries. She has over 15 years of information privacy, security and compliance experience. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the 1998 CSI Information Security Program of the Year Award.
Dig deeper on Enterprise Risk Management: Metrics and Assessments