Every so often, security professionals are thrust into the limelight as the result of a security crisis. Delighted with the attention the incident brings, they may believe that top management will pay more attention to information security. And given that erroneous belief, they often submit proposals for major improvements, which may get approved if the recent problem and its aftermath are painful enough. However, the proposed information security improvements often fail to receive management support. A more holistic long-term strategy would be to use these crises to make a proposal for an institutionalized risk management process.
Clearly, top managers are constantly juggling pressing matters aside from information security. Knowing this, security pros think that their only shot at making significant improvements lies in quickly preparing improvement proposals (or perhaps preparing them in advance), and then submitting these just after a major crisis takes place. While there's strong merit to "striking while the iron is hot" and riding the searing waves of the pain and cost of a recent intrusion, this strategy isn't a long-term approach.
However, a crisis is a valuable opportunity for proposing an institutionalized risk management lifecycle process that will periodically bring information security to the attention of top management. Such a process can bring balance to the often-encountered cycle which goes from understaffed and somewhat unprepared scrambling
The fact is information security is now an essential part of modern business in developed countries around the globe. But in spite of this status, it still has a ways to go when it comes to getting recognized as a normal and required way in which to conduct business. To that end, adopting a risk management lifecycle process can enable organizations to integrate information security into business activities, including budgeting, strategic planning, marketing, human resources and purchasing.
A risk management lifecycle process is a simple loop. It forces management to periodically revisit information security risks, consider what should be done and take action to reduce what's deemed unacceptable. The specific process differs from business to business, but typically the process includes these basic steps:
- Defining security requirements -- often expressed in the form of policies
- Implementing controls -- to reflect outlined requirements
- Performing asset inventory
- Performing asset ranking and prioritization
- Identifying threats -- illuminating the perils that face these assets and the organization as a whole
- Assessing vulnerabilities -- illuminating the threats that are presently not adequately addressed
- Checking compliance -- against existing requirements both internal and external
- Proposing changes in requirements
- Evaluating the merits of proposed changes in requirements -- for example with cost/benefit analysis
- Approving the development and deployment of new requirements
The intention of the cycle is to get management to go through the process at least annually, even if there's no crisis forcing them to pay attention to information security. The process requires information security-specific policies, which need approval by top management -- policies that will force other layers of management to work with the risk management lifecycle. Such an action-forcing mechanism could involve the withholding of funds for other IT projects until risk management paperwork has been completed.
While recent information security breaches provide a compelling reason to adopt a risk management lifecycle, discussions about the need to be in compliance with information security laws and regulations, such Sarbanes-Oxley, also serve as a forceful justification for institutionalizing this type of process. Whenever possible, in order to reduce the amount of effort required, information security pros should add a risk management lifecycle to related risk management lifecycles that are already in-place. For example, integrating risk management into an existing process could involve an examination of the risks in a wide variety of departments like Legal, Physical Security and Finance. Such a process forces top management to see risk from an across-the-organization perspective, so that the most serious risks can readily be highlighted (and hopefully soon thereafter addressed). In the absence of a similar risk management process to which an information security risk management lifecycle could be attached, the integration with an existing budget process is recommended. In this case, preparing documentation for a risk management lifecycle can be a required part of the annual budgetary paperwork.
A risk management lifecycle process gives management the chance to make new trade-off decisions between security and competing objectives including cost, ease-of-use, time to market and customer service. It enables management to implement appropriate information security measures, and make rational and well-informed decisions.
About the author
Charles Cresson Wood, CISSP, CISA, CISM, is an independent information security consultant based in Sausalito, Calif. He specializes in the development of information security documents including policies, standards, procedures and job descriptions. He is also the author of the book and CD-ROM entitled Information Security Policies Made Easy.
This was first published in January 2005