Measuring CMMI® for Quality Project Management: is it so hard to adopt?
19 December, 2013
The standard Lorem Ipsum passage, used since the 1500s
13 February, 2017Why Information security needs Risk Management: a guide to robust Information Security Management
Information security is one of the most talked about concept these days in company and every one wants to have it. Common myth is that it’s a plug and play system where you can just install it in your company and get your self secure with all threats. Unfortunately, its not an umbrella that will save you from all the rain. You will have to plan, analyze and customize a security management system based on your needs and circumstances.
In this write up we will talk about how Risk Management is linked with Information security and why it is vital to consider Risk Management as an integral part of Information security. Would you like to spend 100,000 US $ to protect a thing that is worth the same or less? Does it make any sense, No, so before managing risks, you need to assess the risk, that means first analyze how much information is important, what is the consequence for if you lose any important information or it goes in wrong hands.
Too many companies believe security as something that belongs only to the IT department whereas risk assessment and management is a business process that fits to all the business units. Risk management should be evaluated as an integral process of any business capacity. It plays a vital role in the effectiveness of technology as well as processes and procedures and people that are handling that technology.
How to conduct information security risk management practice?
Its starts with an information security plan, which must be applied in four different stages.
1) A calculation of defined assets, threats, risks, operational issues and costs
2) A security program selected to counter measure the vulnerabilities
3) Implementation of the approved solution
4) Maintenance on a wider scale that guarantees solutions effectiveness.
Three security procedures that are given due diligence in an organization is: Personal security, information security and physical security. If an organization is thoughtful of improving an organizational safety and security measure, then they should administer risk assessment first to manage the upcoming risks to the environment, human factor and company assets.
Security experts highly believe that humans pose the greatest risk for any organization. Assets which include people, property, and reputation are significant examples. Humans play the main role as they are primarily involved in devising a risk mitigation plan for an information security breach. He has also the sole responsibility to make changes in that plan respectively. A security network manager might be wasting in buying a network security check software without understanding the risk that can be evolved by changing the existing program , such, that may counter to severe risk breaches that can in turn lead to company to serious security losses.
Many companies do not work on the security parameters of an organization, sometimes because they fail to recognize the vulnerabilities, sometimes because they have no proper way to counter measure the vulnerabilities, and sometimes when they fail to accept any change. Some do not have an interest or they think security isn’t that important which place them into substantial risk in financial loss and data security issues.
Risk assessment is basically an art to devise security breaches, measuring the likelihood of the breaches that might occur, prioritizing the identified ones in comparison to all others identified, assessing the chance of risk to occur and measuring each vulnerability impact upon organizations most prone assets.
I would like to guide you all through the right process for managing risks.
The Risk Assessment Process
Phase 1: Start with a Security Survey:
The process starts with a security survey which is to be conducted by a professional security practitioner on a facility. it’s the basic tool used in risk valuation. This basic examination identify the weak security areas, the existing securing measures and recommend certain measures to get over with security breaches falling in.
Phase 2: Identify the Assets:
Assets are people, possessions, information and reputation of the organization.
Phase 3: Identify the risk:
Risk refers the likelihood of experience loss from an incident or an event. Risk can be of many types, natural, physical, catastrophic, man-made, physical and economical.
Phase 4: Determine risk probability:
There are many factors that cite risk probability states: physical environment, social environment, political environment, historical environmental, employee theft, workplace violence, fire, robbery, burglary, identity theft, bomb threat, injury, damage, natural disasters, industrial espionage, payroll, purchasing and receiving, computer, information theft and cyber-crime.
Phase 5: Determine Countermeasures:
When risks are identified, now is the time to prioritize them and countermeasures should be addressed to reduce the unexposed risks, threats and event. Countermeasures are basically procedures, personals, equipment, and records such as incident reports, access reports and transaction logs. Countermeasure is the way to control and prevent the risks adverse bodies.
Phase 6: Perform Cost/Benefit Measure:
The countermeasures performed should not cost more than benefits receive. This should be a measure set across all business processes. Prior to spend on a countermeasure practice, management must monitor their return on expenditures as well.
Phase 7: Risk Management:
To team up, information security management systems helps your team fight with the unforeseen risks and review, revise and improve the countermeasures as needed. This is risk management. Many companies have devised numerous security programs but they fail to revolutionize, strengthen review, revise, improve and mitigate it as needed. Many organizations now find it good to outsource their security concerns and hire a team of security expert consultants who have sound risk management expertise and information security management background.
So what type of procedures should be followed for an effective information security risk management?
I am posing 8 small tips for all the security professionals who fall into the domain of information security management
1. Does the need really exist:
Security professionals have always been involved with the security controls playing hard on malware and cyber crimes and yet administered with the right technology, we still can never be sure if we have the improved security and we are doing the right things. Realize the need for risk management is important to note here.
2. Assessing your assets
A lot of security managers don’t know what type of data they need to secure for an organization or what type of data is coming in and going out of the organization. Only if you know about your organizations assets, you know which data; assets require more security than the other, especially it gets harder when people change the job too frequently.
3. Assess the risk appetite
Organization should first test the risk appetite that means that the organization we serve should be risk averse or we can assess it by applying actionable controls around them.
4. Find risk by compliance measures:
You all know that failing in compliance measure automatically increase the fear of high risk. So if you are unable to determine your risk proportion, you must regularly go with compliance regulators.
5. Manage the unknown Risks
When you start making observations and judgements to unknown and unexpected events, those instances will determine your organization’s maturity. How fast you identify the risks, how fast you clung to its resolution, how fast you get rid of that risk and how much impact you made to the enterprise risk management. These questions will let you measure the unknown risk evolved.
6. Define your processes:
Risk management should be termed as a business process which starts with assessing the risk that does occur, that might occur and the unexpected occurrence For e.g.: it must be addresses that any application that will go into production must pass the security check and accreditation where its risks assessed making sure that the process is maintained across all levels of the business units. The process must be centralized, speedy, predictable and consistent across the overall organization.
7. Get feedback on how you perform:
Security professional must all know which information is important and needs to be protected. All the risks should be listed in importance and severity so everyone must know the precedence and priority of risks and the sustainable actions need to perform to get rid of that. The noted down measurements gives you a feedback on how good you are performing with its measurement and protecting against the risk crime.
8: Getting better with risk management:
You are successful with risk management strategy, only if you align all your efforts to the success of the business. This has to do with your experience, confidence, trust and credibility you have with the organization. And you will certainly get better with time.
Best of Luck with your Information Security!
Related posts
Real life businesspeople shot on location. Since these locations are the real thing, and not shot in an "office studio", high ISO levels are sometimes needed to catch the moment. The ISO range is between 250-600 so it should be fine for most usage cases. Most people won't notice anything really, but if you are a nerd like us, you can see a little noise.
