Tip

Institutionalizing risk management for ongoing management support

Every so often, security professionals are thrust into the limelight as the result of a security crisis. Delighted with the attention the incident brings, they may believe that top management will pay more attention to information security. And given that erroneous belief, they often submit proposals for major improvements, which may get approved if the recent problem and its aftermath are painful enough. However, the proposed information security improvements often fail to receive management support. A more holistic long-term strategy would be to use these crises to make a proposal for an institutionalized risk management process.

Clearly, top managers are constantly juggling pressing matters aside from information security. Knowing this, security pros think that their only shot at making significant improvements lies in quickly preparing improvement proposals (or perhaps preparing them in advance), and then submitting these just after a major crisis takes place. While there's strong merit to "striking while the iron is hot" and riding the searing waves of the pain and cost of a recent intrusion, this strategy isn't a long-term approach.

However, a crisis is a valuable opportunity for proposing an institutionalized risk management lifecycle process that will periodically bring information security to the attention of top management. Such a process can bring balance to the often-encountered cycle which goes from understaffed and somewhat unprepared scrambling

    Requires Free Membership to View

in response to a crisis, followed by some encouraging but insufficient improvements, followed soon thereafter by little to no attention given to information security.

The fact is information security is now an essential part of modern business in developed countries around the globe. But in spite of this status, it still has a ways to go when it comes to getting recognized as a normal and required way in which to conduct business. To that end, adopting a risk management lifecycle process can enable organizations to integrate information security into business activities, including budgeting, strategic planning, marketing, human resources and purchasing.

A risk management lifecycle process is a simple loop. It forces management to periodically revisit information security risks, consider what should be done and take action to reduce what's deemed unacceptable. The specific process differs from business to business, but typically the process includes these basic steps:

  • Defining security requirements -- often expressed in the form of policies
  • Implementing controls -- to reflect outlined requirements
  • Performing asset inventory
  • Performing asset ranking and prioritization
  • Identifying threats -- illuminating the perils that face these assets and the organization as a whole
  • Assessing vulnerabilities -- illuminating the threats that are presently not adequately addressed
  • Checking compliance -- against existing requirements both internal and external
  • Proposing changes in requirements
  • Evaluating the merits of proposed changes in requirements -- for example with cost/benefit analysis
  • Approving the development and deployment of new requirements

The intention of the cycle is to get management to go through the process at least annually, even if there's no crisis forcing them to pay attention to information security. The process requires information security-specific policies, which need approval by top management -- policies that will force other layers of management to work with the risk management lifecycle. Such an action-forcing mechanism could involve the withholding of funds for other IT projects until risk management paperwork has been completed.

While recent information security breaches provide a compelling reason to adopt a risk management lifecycle, discussions about the need to be in compliance with information security laws and regulations, such Sarbanes-Oxley, also serve as a forceful justification for institutionalizing this type of process. Whenever possible, in order to reduce the amount of effort required, information security pros should add a risk management lifecycle to related risk management lifecycles that are already in-place. For example, integrating risk management into an existing process could involve an examination of the risks in a wide variety of departments like Legal, Physical Security and Finance. Such a process forces top management to see risk from an across-the-organization perspective, so that the most serious risks can readily be highlighted (and hopefully soon thereafter addressed). In the absence of a similar risk management process to which an information security risk management lifecycle could be attached, the integration with an existing budget process is recommended. In this case, preparing documentation for a risk management lifecycle can be a required part of the annual budgetary paperwork.

A risk management lifecycle process gives management the chance to make new trade-off decisions between security and competing objectives including cost, ease-of-use, time to market and customer service. It enables management to implement appropriate information security measures, and make rational and well-informed decisions.

About the author
Charles Cresson Wood, CISSP, CISA, CISM, is an independent information security consultant based in Sausalito, Calif. He specializes in the development of information security documents including policies, standards, procedures and job descriptions. He is also the author of the book and CD-ROM entitled Information Security Policies Made Easy.


This was first published in January 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.