5 Steps To Strengthen Information Risk Profiles

  /     /     /  
Publicated : 22/11/2024   Category : security


5 Steps To Strengthen Information Risk Profiles


Make sure you include the right employees and business processes when developing risk management strategy.



Consider the phrase information risk profile. It sounds serious, important. It sounds like something most companies should have in the information age. Yet its risk-management strategy thats easy to put off or ignore altogether.
For organizations with an outdated. insufficient or altogether nonexistent information risk profile, it helps to start with a basic question: Just what the heck is one?
I look at it as conversation that discusses the organizations tolerance for loss, disruption or availability issues regarding their data assets,
IP Architects
president John Pironti said in an interview. When does it hurt when they lose something?
Having that conversation, as it were, can help companies define and prioritize smarter approaches to securing and safeguarding their information, no matter what that information might be. This is turn helps minimize the potential pain when things go wrong: Financial loss, PR embarrassment, productivity drains and similar downsides.
[ Are passwords passé? Read
Kill Passwords: Hassle-Free Substitute Wanted
. ]
Among the many reasons an information risk profile is an important tool in the digital age: A comprehensive one can help organizations clarify what is actually important versus what is
perceived
to be important. Failing to make that distinction often leads to wasted resources, ineffective strategies and poor decision making.
Pironti, who will chair the Information Security and Risk Management track at
Interop
, offered this advice on building effective, efficient information risk profiles.
1. Heed The Difference Between Risk And Threat.
Pironti noted a common misconception about information risk: I think security professionals, myself included, spend too much time thinking that they know risk when they really know threat, he said. Although threat might apply to areas such as
malware
or phishing scams, risk should include a much broader view of data loss, corruption or downtime, no matter the cause.
Comprehensive profiles address not just targeted or indiscriminate
security attacks
, but risk of all kinds: Employee error, technology failure, vendor mistakes and so on. At the end of the day, they have the same business impact, Pironti said.
2. Company Should Own The Profile.
Youre looking for the business leadership to really help to understand: What should we care about and why? Pironti said. This can be easier said than done, Pironti added, because executives and managers are often paid to take risks. But Pirontis view is
shared by others
in the security and privacy field.
Although information security pros should lead the process, the end result should be owned and maintained by the business. If security guys just go around and give their perspectives and look for a rubber stamp from the business, it probably wont be embraced [or] viewed as something thats credible, he said. Its probably not going to make it to the senior leadership or to the board level because its going to be viewed as an operational review rather than a business-level review.
3. You Need The Right People In The Room.
Establishing a risk profile that the business embraces requires involving the right people. Pironti recommended involving business process owners or data owners. Ultimately, senior leadership will need to buy in as well. If youre unsure of whom the business process owners are in your organization, identify the people with profit-and-loss (P&L) responsibility. In other words: Whose bottom line gets hit if theres an information-related incident?
4. The Goal Is
Not
To Include Everything.
For businesses with finite resources -- and thats most of them -- trying to account for every shred of data that passes through the organization is not only inadvisable, its a fast track to failure. Dont forget that the whole point of building an information risk profile is to
prioritize
based on your companys data and its relative importance for revenue, compliance and other factors.
Look for the key business processes, the ones that are considered essentially important to the operations or health and safety of the organization, Pironti said. It wouldnt be realistic to say that we should look at every detail and every thing.
Pironti applies the concept of due care here, which asks: Did you do what could be reasonably expected of you to protect your data? Thats your bare minimum starting point, and then you work upwards, Pironti said. If there
were
a situation, we can [then] feel comfortable that we are protecting ourselves from legal concerns, from compliance concerns, from the court of public opinion -- as well as ensuring that our business can operate in a way that makes sense for us, versus what everybody else tells us we should do.
5. Avoid Too Many Cooks.
No one wants to be told their data or business process is a lower priority than that of the person sitting two doors down. Few people in a get ahead culture will ever willingly admit that their areas of responsibility arent as important from a risk management standpoint. As a result, theres bit of diplomacy required of information security pros when developing a risk profile.
Pironti offered this tip: If theres already a business continuity or disaster recovery plan in place, start there -- a good one should have, in effect, already ranked the companys data priorities, which can help smooth out any ruffled feathers.
A lot of organizations have already gone through that process, versus doing a real risk profile, Pironti said. Its an easy starting point.
InformationWeek is conducting a survey on security and risk management. Take the
InformationWeek 2013 Strategic Security Survey
today. Survey ends March 29.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
5 Steps To Strengthen Information Risk Profiles