Friday, May 27, 2005

The Seven Laws of Information Risk Management

IT Observer is running an article entitled the Seven Laws of Information Risk Management. All of the rules ring true, in my experience:

IT Observer - The Seven Laws of Information Risk Management:

"1. Your partners and employees will steal from you

You are ultimately responsible for how your employees and business partners access and use your data. Today's information theft debacles are the tip of the iceberg. As globalization and interconnectedness increases without proper vetting and security, employees, customers and trading partners can accidentally corrupt your data or cause regulatory compliance issues through misuse of the data. In the worst-case scenario, they can steal the confidential data and sell it. Information Risk Management technology continuously learns corporate, customer and partner user behavior patterns and alerts to changes in these patterns.

2. Bust up policy barriers

Security, auditing, regulatory affairs and privacy impact the entire organization and should not be kept in departmental silos. People, process and technology must be integrated. A crucial element is that the organization's security executive must have the authority and budget to develop, implement and enforce a holistic information security plan. The mindset of "implied trust" between systems, employees and trusted partners is no longer valid. Information Risk Management technology uses data governance frameworks to integrate business functions, control processes, employee education and cultural values.

3. It's all about privacy

You can't have privacy without security and you can't meet regulatory compliance without privacy. Security is a building block for privacy, which is a major component of regulatory initiatives. For example, CA1386, HIPAA and GLBA in the United States and the Japan Information Privacy Law are primarily about privacy. The fundamental weakness to such laws is they cannot protect your brand, sensitive data, business continuity or financial position against a breach. Implementing a comprehensive information risk management solution helps you achieve privacy and compliance through security.

4. Don't stop working

Effective Information Risk Management should not radically alter work or its flow. Examples are rife of organizations implementing draconian policies that substantially reduce productivity and impair customer service, while providing questionable security benefits. Securing information is fundamentally about protecting data integrity, confidentially and availability at rest and as it moves through the organization and beyond to the value chain. As such, Information Risk Management must protect information "in context" of business processes, decisions and evolving conditions.

5. Don't spend foolishly

You must match the level of Information Risk Management investment directly to the level of risk. Business process owners should determine risk profiles of the organization's data. For instance, customer data has a much higher risk profile than a marketing brochure PDF. The resulting risk management portfolio is an essential guide to selecting the necessary technologies. The next step is evaluating the risk reduction on investment.

For each dollar invested, ascertain the quantitative and qualitative risk mitigated by the technology. Every organization has an optimal risk reduction on investment tipping point.

6. Be afraid - it will happen to you

Expect the unexpected by assigning responsibilities before a privacy breach occurs. Information theft only happening to the "other guy" is just a myth and the chance is greater than 50 percent that it has already happened at your organization. Access to customer demand forecasts, financial records and patents is very valuable, not just to your trusted partners, but also to thieves and harvesters. Protecting against abused authorized user privileges should top the list of priorities. Ernst & Young recently reported that 70% of all security breaches that involve losses of more that $100,000 are perpetrated internally.

7. No silver bullet

There is no single technology that will solve security problems or provide regulatory compliance! Proper planning of how people and processes should leverage technology and enforce business rules and security best practices is key to a successful Information Risk Management strategy. The right Information Risk Management solution should be judged on its vulnerability assessment, monitoring, auditing and deterrence functionality. Also important are global support for heterogeneous databases, compliance reporting and cost efficiency. Remember that Information Risk Management is a process that requires continuous monitoring, auditing and adjustment of how sensitive information is used - not just an initial risk assessment."

Businesses should pay particular attention to "It will happen to you" and then re-read the other six ...

No comments: