Building information risk management frameworks: Developing controls for people, processes and technology

More from Khalid Kark Also see Khalid Kark's related article on how to lay the groundwork before building a risk management framework: Five steps to building information risk management frameworks.

While this may be obvious to any organization that has already attempted to construct an information risk management framework, completing the process successfully requires executing on a number of detailed, complicated steps. As we covered earlier, once the confidentiality, integrity and availability needs are determined for a business area, appropriate people, process and technology controls should then be applied.

People controls are the most essential
For CISOs and their organizations, employees can be either the greatest asset or the biggest liability in the pursuit of managing information risks. CISOs can work with employees to develop a good security culture in the following three ways:

• Identity and access management: Define roles for different users within your environment -- from administrative assistants to the CEO -- and specify physical and logical access privileges for all employees. Once these roles are defined, ensure that they have appropriate access.
• Information security organization: Make everyone responsible for security. Successful CISOs understand that their organizations needs to tackle much more than pure IT security issues; they need to manage the risks to corporate information in any form.
• Training and awareness: Develop a brand and marketing plan for security. Employees outside of security and privacy groups don't think about information risk management, and it's the CISO's job to keep them engaged, interested and thinking about security.

Technology controls create efficiencies and save time
Humans are much smarter than computers, but computers are much better at repetitive, time-consuming tasks. Thus, monitoring, enforcement, response, measurement and reporting of security controls are all prime candidates for automation, but only after you've trained your people and determined your processes. If you skip the people and process elements, all you'll end up doing is making insufficient and broken processes run faster. Forrester Research divides the technology area into seven domains.

• Network: Use technology to make your network intelligent. Network security means keeping your information secure from outsiders, protecting it from unauthorized insiders and securing it in transit.
• Database: Encrypt sensitive database fields, ideally with an enterprise-wide coordinated tool. Keep tight controls on your database with activity monitoring, vulnerability management and encryption tools.
• Systems: Define corporate strategies to protect the systems. As with database protection, authenticate access to storage devices and encrypt the data while at rest, where appropriate.
• Endpoints: Protect the first line of defense. Endpoints include desktops, laptops and mobile devices. Typically, it's the unpatched endpoint systems that get infected and introduce malware into your environment. Deploy technologies such as antivirus, antispam, disk encryption, configuration management, firewall/IPS and strong authentication to protect these vulnerable links in your chain.
• Application infrastructure: Reduce your attack surface. Vulnerabilities affecting Web applications accounted for 69% of all vulnerabilities documented in 2006. To reduce that attack surface, deploy source code analysis technologies and deploy a Web application firewall to defend your application from inappropriate incoming requests.
• Messaging and content: Protect the exchange of business information. CISOs need to ensure that sensitive information is encrypted and that incoming and outgoing Web, email and IM traffic is filtered based on compliance with corporate policies.
• Data encryption: Merely encrypting the data will not provide adequate protection. An enterprise-wide encryption strategy with strict authorization criteria is the key to maintaining data security, whether the data is at rest, in use or in transit.

Process is the glue that binds people and technology
The best information risk management frameworks quickly become useless if no process exists to execute the policies. Forrester divides process into the following seven domains.

For more information Mike Rothman discusses the differences between business continuity planning and operational risk management. Learn the pros and cons of converging security and network management. Mike Chapple explains how to determine if SSL VPN implementation is right for your organization's risk assesment strategy.

• Information risk management: This means reduce, transfer or accept risks. Introduce processes to identify, evaluate and mitigate information security risks first. Next, create processes to prioritize, monitor and track them. Having a formal information risk management process ensures that management is at least aware of the critical risks and can take the appropriate actions to mitigate, reduce, transfer or eliminate them.
• Policy and compliance framework: Provide concrete guidance for users. Writing the security policy is only the first step. The policy needs to be converted into standards, procedures and technical implementation guidelines.
• Information asset management: A lot of companies struggle to manage their information assets because they rely too heavily on technology. To fix this, build processes to define asset ownership, assist with asset classification, manage the asset through its life cycle and ensure appropriate retention or disposal.
• Business continuity and disaster recovery: Substantially reduce the impact of business disruptions and disasters -- or in some cases even avoid them -- by introducing rigor into your BC/DR processes. CISOs must develop a set of processes to maintain, train, test and manage business risks and to ensure that redundant systems and alternate personnel are available if and when needed.
• Incident and threat management: To ensure that threats are researched, planned and responded to appropriately, strong processes are needed. Many CISOs remain focused on infrastructure threats, despite the fact that the majority of risks come from application vulnerabilities.
• Physical and environmental security: No matter how sophisticated your digital security is, if the guards at your gates don't control access to your physical environment consistently, you will never be secure. Forward-thinking organizations are taking steps toward physical/logical security convergence -- collaborating on processes and personnel and getting different sets of technologies to share information and improve the security and overall efficiency of each organization. Equipment and facilities need regular maintenance and adequate environmental controls, such as heating, ventilation, air conditioning and generators to ensure their continuous availability.
• Systems development and operations management: Don't let security be an afterthought. By ensuring that security is involved from day one, you can save a lot of time, effort and money. Requirement gathering, periodic architectural reviews, quality assurance and access controls ensure that a system and its applications are adequately protected.

Taking a top-down approach
Security is a complicated business, and devising a simple way to discover and report where prioritization is needed is vital for not only keeping track of how well you're doing, but also convincing management that the security program is effective. By bringing the people, technology and process elements of security together in a security policy, organizations can establish a framework that effectively monitors, measures and reports on controls and the firm's compliance with security policies.

Khalid Kark is a principal analyst at Forrester Research. His research focuses on information risk management strategy, governance, best practices, measurement, and reporting. He can be reached at kkark@forrester.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk Management Strategies Easing e-discovery preparation by mapping enterprise data Database patch denial: How 'critical' are Oracle's CPUs? Security breach management: Planning and preparation The ins and outs of database encryption Failure mode and effects analysis: Process and system risk assessment Data loss prevention (DLP) tools: The new way to prevent identity theft? IT GRC: Combining disciplines for better enterprise security Partner access: Balancing security and availability Enterprise data management: Analyzing business processes and infrastructure for data protection Filtering log data: Looking for the needle in the haystack Risk Management Metrics and Measuring Risk Security data lapses hamper researchers Next wave of security will be defined by metrics, analysts say Like MLB scouts, IT security pros are turning to metrics Interview: Financial Services CISO David Pollino Failure mode and effects analysis: Process and system risk assessment The pros and cons of data breach insurance Researcher Puts Quantitative Measurement on Information Security Threats Quiz: Developing a risk-based compliance program Sophisticated spam, employee errors continue unabated Why you shouldn't wager the house on risk management models Creating and Managing Information Security Policies Security Awareness Training Essential Part of Infosec Program How to lock down instant messaging in the enterprise Worst practices: Bad security incidents to avoid Thompson calls for marriage of data and security management Companies Collecting Too Much Customer Data Increase Exposure Interview: Arizona CISO David VanderNaalt Incident response success in five quick steps Social networking Web site threats manageable with good enterprise policy What controls can compensate when segregation of duties isn't economically feasible? IT GRC: Combining disciplines for better enterprise security Creating and Managing Information Security Policies Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.