|
Corporate Information Security Risks
Every year, I attempt to reassess the high level corporate information security risks. This process helps me to create my top corporate information security resolutions similar to my own personal new year resolutions. Although, information security risk management is a continuous process, it’s always helpful to reconsider the high level risks before attempting to identify and document the underlying risks of a particular risk category. This process is extremely important for two main reasons; general risks might change from year to year, and second, it helps to break down the high level risks into smaller and actionable risks. After all, security professionals perform information security risk assessments to implement mitigating controls for identified security risks. It’s almost like breaking down a large task into smaller tasks for better manageability and tracking. When observing organizations, their structures and information security management practices, there are strategic information security risks, which if are not fully addressed, can increase the risk of regulatory noncompliance and unauthorized data disclosure for the enterprise. Let’s now consider the high level information security risks: Visibility & independence – information security group visibility and independence is critical to secure the enterprise. In order to assess the visibility and independence risks, we have to consider the reporting level of the information security group within any organization. Although, Information Technology (IT) and related systems and processes constitute a big part of the information security risk management scope, the IT group itself usually reports to an entity in the business area whether it’s Finance or Operations. This is of course assuming that we’re talking about an organization where IT is a separate entity apart from the business. There are many debates about where the information security group should report within any organization whether to the CIO, CFO, CEO, COO or the board, but considering the criticality of independence, visibility and integrity of the information security group, and, IT being a major stakeholder and owner of the security areas and related risks, it makes sense to have the information security group report to an entity outside of IT and, at the highest level possible of the organization to preserve both independence and increased visibility. Oversight – An information security function must preferably be responsible for managing all information security risks, including security program, policies and standards; operations security & access administration; network, application and web security; physical security; business continuity & disaster recovery. At a minimum, the group must be closely aligned with the above mentioned corporate entities and other internal groups such as the privacy group to address impact of security breaches and confidential data disclosures, legal and strategic sourcing groups to ensure contracts with third parties include all appropriate security clauses, internal audit and other regulatory compliance groups to avoid duplication of efforts and ensure completeness of risk coverage. Any functional scope limitation due to break up and decentralization of the information security function may lead to redundancy, increased cost, lack of synergy, miscommunication, delayed actions, and lack of ownership, placing the enterprise at additional and unnecessary information security risks. Executive management support – Any information security group is incapacitated or at best semi functional if there is no executive management support. Management support must be clearly and entirely communicated to all employees, empowering the group tasked to protect the critical information assets of the enterprise. Such management support is especially important and critical to allow the information security group to assign ownership of security areas and risks. Individuals and/or groups may from time to time attempt to brush aside any responsibility or ownership for addressing security risks. However, without timely assignment of security risks for remediation or area ownership to support the risk assessment process, the company is once again placed at increased risk. The information security group can play a key role in educating management regarding security risks and group’s function, however, management must be open minded and willing to listen. Most often and unfortunately, management suddenly places importance on information protection after a major security breach, especially when speaking to the public and reporters, however, this reactionary behavior is temporary and ineffective in managing security risks due to lack of serious and sustained management commitment to the protection of corporate information assets. Budgets – inadequate budgets may be the consequence of insufficient or inexistent executive management support or lack of priority placed upon the information security function. In order to properly budget for the protection of the enterprise information assets, information security priority, and management support backed by solid financial contribution must first exist. Absence of reasonable financial support may lead to an incapacitated information security function that looks good on the organization chart for the regulators and stockholders, but which is unable to execute the required plan to reduce the information security risks. Inadequate security budgets ultimately lead to higher security risks, an ineffective and inefficient information security group, an uneducated and unaware enterprise, inadequate information security staff levels, and unqualified information security professionals due to lower salaries and unavailable quality information security training.
Identity Protection Insights NewsletterEffective identity protection requires dynamic and integrated solutions. This site provides awareness, education and many solutions to address the growing problem of identity theft. Please sign up for the Identity Protection Insights newsletter to receive periodic notification of important articles and solutions, major identity theft news analysis, fraud alerts, and other service announcements. |
