Imago Techmedia Ltd is registered in England and Wales under Company No. 04865455. VAT No. GB 843 8456 01
Registered Office: Bedford House, Fulham Green, 69-79 Fulham High Street, London, SW6 3JW, United Kingdom
Business Address: Imago Techmedia, 2C Bedford House, Fulham Green, 69-79 Fulham High Street, London, SW6 3JW, United Kingdom
Imago Techmedia is a subsidiary of Clarion Events Limited
How to Create an Effective Information Security Risk Management Programme
Monday 24 September 2018
Ahead of IP EXPO Europe, Peter Smith, regional sales manager Europe at Netwrix Corporation explains how to create an effective security risk management programme and walks us through the relevant steps.
Anyone responsible for corporate information security risk management has a tough job on their hands. Businesses keep generating large volumes of data, IT systems are increasingly complex, and cyber threats continue to evolve. What they have to deal with may sometimes seem like an endless number of challenges, and budgets and resources might seem far too limited to tackle all of them.
What is information security risk management?
Information security risk management, or ISRM, is the process of managing the risks associated with the use of information technology. In other words, organisations identify and evaluate risks to the confidentiality, integrity and availability of their information assets. This process can be broadly divided into two components:
- Risk assessment — The process of combining the information gathered about assets and controls to define a risk
- Risk treatment — The actions taken to remediate, mitigate, avoid, accept, transfer or otherwise manage the risks
What are the steps needed to create an effective information security risk management programme?
Practice shows that a multi-phased approach to creating an ISRM programme is the most effective, as it will result in a more comprehensive programme and simplify the entire information security risk management process by breaking it into several stages. It will make the ISRM process more manageable and enable a business to fix issues more easily. Here are five steps for building an effective information security risk management programme:
Step 1. Business awareness
Firstly, it’s important to understand the organisation’s business conditions, such as budget considerations, staff and complexity of business processes. The organisation’s risk profile should also be considered, with a detailed description of each risk that it faces, and its risk appetite; in other words, the level of risk it is prepared to accept to achieve its objectives.
Step 2: Programme definition
Next, the organisation needs to define the ISRM programme, and should be sure to:
- Define a prescriptive annual plan followed by a high-level three-year plan
- Clearly define the point of arrival for capabilities based on management input
- Ensure the availability and capability of necessary staff for execution of the programme
- Gain an understanding of the internal culture
Step 3: Programme development
In this stage, it’s important to define the functional capabilities and controls related to IT security and risk management (e.g. vulnerability assessment, incident response, training and communication) and the governance model that will determine who will be responsible for each area of the ISRM strategy. If a company chooses to outsource the implementation of ISRM capabilities to third parties, they must consider the risks and ensure appropriate oversight is taken by internal staff.
Step 4: Metrics and benchmarking
In this stage, an organisation needs to define the metrics to be used to evaluate the effectiveness of the ISRM strategy. Here are two best practices for this step:
- Ensure alignment with industry standards and guidelines: There are multiple standards to help ensure a ISRM programme complies with industry regulations. It is important to use multiple compliance standards and frameworks to identify whether a ISRM programme has all necessary functions and capabilities.
- Use KPIs to measure the effectiveness of the functions and capabilities developed through the ISRM programme: When developing KPIs, it’s important to first identify the business value that would be gained with ISRM capabilities, and then define objective criteria that can be used to assess that value. Firms should base KPIs on the potential business impact and point-of-arrival guidelines, and assign monetary values where possible. This will help connect the company’s security posture with the business context for the organisation’s leadership. Also, it is essential to identify the thresholds of what is acceptable and what is unacceptable for each KPI.
Step 5: Implementation and operation
Finally, organisations should go through all the stages of ISRM (identify, protect, detect, respond and recover) and repeat them on the regular basis. It is essential to have a policy that describes all stages of ISRM, the responsibilities of employees and the schedule or conditions for reviewing the programme. Major changes in the IT environment, data breaches in the industry or new cyber attacks are all valid reasons to look at a ISRM programme with a critical eye and revise it if necessary.
Security risks are inevitable, so the ability to understand and manage risks to systems and data is essential for an organisation’s success. Developing an ISRM program makes the risk management process more manageable and helps to protect a business’s most critical assets against emerging cyber threats. If an organisation can address risks and respond effectively to security incidents, it can figure out how to resist cyber threats better and reduce potential risks in the future.
If you are interested in learning more about how to create an effective information security risk management programme, drop by stand CC6 to ask Peter any questions you may have. https://www.netwrix.com/
IP EXPO takes place on 9-10 October 2019 at ExCeL London. This unmissable event is your one stop shop for digital transformation and covers every vertical you need to consider for successful implementation. Including network and hardware, cybersecurity, developer community, AI and analytics, IoT and Blockchain.