• SELECT SITE CURRENCY
Select a currency for use throughout the site
Information Risk Management: The Current Challenges Faced by Organizations and their Solutions
ETCO India, September 2010, Pages: 107
Information Risk Management has become a mission critical business requirement for businesses across the world amidst known and emerging threats facing the Information Systems of organizations. A lot of action is carried out in this area with loads of products & services introduced in the global markets and billions of dollars being burnt by business owners. But everyone has one question in their minds – are we doing enough? Business owners want to know whether they are effectively & proactively identifying the information risks and implementing adequate controls to mitigate them. This paper presents the problems faced by global organizations pertaining to Information Risk Management and presents solutions that are deemed feasible by a number of respondents that participated in a survey of 325 participants conducted by the researcher. If the Risk Management and Information Security consulting companies across the world design service packages to “implement the frameworks and not only advise on them” to the extent that they are culturally accepted by the employees and the value addition to business is tangibly demonstrated, they can tap a huge market potential across the globe. As per estimates carried out in this research the Information Security and Risk Management markets in the technology & knowledge intensive sectors of UK and all countries under European Union put together offer a market potential of about $12 Billion for one time implementation and about $1.5 Billion in annual service charges if the Information Security and Risk Management consultants package and offer the services designed in this report.
The target audience of this report are:
- IRM professionals practicing in the global markets
- External and Internal auditors
- Senior Management, Top Management & Board members of organizations that either have IRM implemented or are planning to implement in due course
- IRM & ISMS process package and software tool design companies
- Quality Management professionals
- IT Security & ISMS professionals
- Legal & Statutory strategy makers
- IRM managers in Government & Public Sector units
Some of the key findings of the report are:
- The IRM & ISMS training manuals for employees mostly comprises of checklists of dos and don’ts whereby very little emphasis is given on improving the general knowledge of employees on the threats and associated impacts. The knowledge management efforts for employees pertaining to IRM & ISMS as a subject matter or domain area is not adequate.
- The security policies & acceptable usage policies written in the organizations as an outcome of IRM are more of “compliance enforcement documents” describing breaches and punishments very much in detail but not giving much emphasis on the rationale of the controls although it should be other way round. In fact these documents are the most uninteresting papers to be read by employees and most of the time responsible to induce fear psychosis and play safe attitudes in organizations.
- Very little efforts are applied to achieve buy in of employees on the security controls by understanding the negative impacts from them and modifying the documented policies to make them optimal from management and employee perspective.
- Implementation of stringent security controls have resulted in reduction of employee satisfaction & innovation capability thus resulting in reduction of delivery efficiency and effectiveness of the organization.
- The IRM and ISMS teams normally sit outside the IT & IS functions having members that are not qualified & experienced to carry out in depth audit of the technical environment of the organization. Thus, the auditing of these functions becomes more of paperwork to satisfy the audit plan requirements.
1.1 RESEARCH OBJECTIVES AND THE RESEARCH QUESTIONS
1.2 SIGNIFICANCE OF THE REPORT
1.3 HYPOTHESES OF THE REPORT
1.4 SCOPE AND LIMITATIONS OF THE REPORT
1.5 THE PROPOSED OUTPUT OF REPORT
2.0 LITERATURE REVIEW AND DISCUSSIONS
2.1 GLOBAL BEST PRACTICES IN INFORMATION RISK MANAGEMENT
2.1.1 NIST RECOMMENDATIONS:
2.1.2 THE ISO 27002:2008 STANDARD:
2.1.3 THE ISO 27005:2008 STANDARD:
2.1.4 THE COBIT FRAMEWORK:
2.1.5 CRAMM, OCTAVE AND FRAP FRAMEWORKS:
2.2 THE CURRENT CHALLENGES IN INFORMATION RISK MANAGEMENT AND THEIR SOLUTIONS
2.2.1 INFORMATION ASSET MANAGEMENT
2.2.2 EVALUATION OF ASSET VALUE
2.2.3 ANALYSIS OF EXPOSURE OF ASSETS TO KNOWN AND EMERGING THREATS
2.2.4 ANALYSIS OF IMPACT TO THE BUSINESS, CUSTOMERS, REPUTATION AND FINANCIALS
2.2.5 REGULATORY IMPACT ANALYSIS
2.2.6 ANALYSIS OF PROBABILITY OF OCCURRENCE
2.2.7 ANALYSIS OF INTERNAL VULNERABILITIES
2.2.8 CONCLUDING THE RISK VALUES
2.3 FORMULATION AND APPLICATION OF CONTROLS – CHALLENGES AND SOLUTIONS
2.3.1 THE CONTROLS FRAMEWORK OF ISO 27001:2005
2.3.2 APPLICATION OF CONTROLS
2.3.3 TESTING THE EFFECTIVENESS OF CONTROLS
2.3.4 MANAGEMENT COMMITMENT TO INFORMATION RISK MANAGEMENT
2.4 CONTINUOUS IMPROVEMENTS – CHALLENGES AND SOLUTIONS
2.4.1 UPDATING THE THREAT DATABASE
2.4.2 KNOWING ADDITIONAL VULNERABILITIES
2.4.3 ENHANCEMENT OF EXISTING CONTROLS
2.4.4 CULTURAL ACCEPTANCE OF RISK MANAGEMENT FRAMEWORK
2.4.5 HIRING EXTERNAL CONSULTANTS AND AUDITORS
3.1 RESEARCH METHODOLOGY
3.2 RESEARCH LIFE-CYCLE
3.3 RESEARCH PROCEDURE
3.4 DECLARATION OF ETHICAL PERSPECTIVE
4.0 THE RESEARCH OUTPUT
4.1 OUTCOME OF THE PROJECT
4.2 SUMMARY OF RESULTS
4.3 CRITICAL DISCUSSIONS
4.4 CONCLUSIONS AND GENERALIZATIONS
List of Tables
Table 1: Template to prepare Statement of Applicability in ISO 27001 implementation
Table 2: Control Effectiveness Rating process to test vulnerability values as per BS ISO/IEC 27001:2005 standard
Table 3: Summary of responses from the respondents captured during the interviews
List of Figures
Figure 1: The Nine Step Risk Assessment Process recommended by NIST (Source: NIST Special Publication. 800-30. 2002)
Figure 2: Concentric Spheres Model of Risk Management Framework (Source: ISO 27005 conceptual framework)
Figure 3: Relationships in a Risk management Framework (Source: Conceptual framework of ISO 27005 standard)
Figure 4: Various databases maintained in the relationship model of Risk Management Framework (Source: Conceptual framework of ISO 27005 standard)
Figure 5: Focus Areas of IT Governance (COBIT Framework 4.1 by IT Governance Institute. 2007)
Figure 6: Input-Output framework of IT Risk Management (COBIT Framework 4.1 by IT Governance Institute. 2007)
Figure 7: Matrix Structure to evaluate Risk Value from Threat Value, Vulnerability Value and Asset Value (Based on guidelines of ISO 13335-3 which is now ISO 27005)
Figure 8: An example of a Risk Heat Chart (Showing risks in absolute GREEN, AMBER, RED and those that are on the boundary)
Figure 9: The research life cycle followed in this report
Businesses in the modern world of global competitiveness are fully surrounded by threats that keep on emerging regularly amidst malicious intents, accidents, natural disasters, competition activities, market dynamics, terrorism, etc. The days are not far away when every action in business processes will be associated with loads of risks and the way forward may not be clear to the process owners. Frameworks like ISO 27001, ISO 27002, ISO 27005, ISO 17799, NIST, etc. recommend that risk analysis should be carried out in every business transaction, asset acquisition, asset retiring, hiring, termination, IT infrastructure changes, organizational changes etc. In this context a large number of organizations across the world have implemented information risk management systems such that risk analysis against business threats is made mandatory for every employee in the organization.
However, with the growing number of threats across the world the risk management systems are getting more and more complex & time taking thus causing frustration among employees given that they do not visualize tangible benefits to business except for mental agony, fear psychosis and culture of mistrust getting imbibed in the working style of employees. Empirical studies by scholars have claimed that organizations having too much of compliance cultures kill innovations & entrepreneurial qualities in employees leading to a deep hierarchical autocratic control system causing immense damage to organizational performance & growth more than the perceived threats in the risk assessment process. The controls implemented as an outcome of Risk Assessment Process leads to stringent systems, rules & norms that affect employee morale and overall business productivity. For example, electronic employee monitoring is one such control which is never taken positively by the employees of an organization [Ciarlone, Leonor. 2006]. As per the research carried out by Alder (2001), electronic monitoring of employees disrupt the positive interactions between managers & subordinates thus reducing mutual trust and support culture in the organization. Such a system cannot be considered fit for organizations having supportive and innovative cultures. The research by Alder proved that electronic employee monitoring proves to be a perfect fit in bureaucratic organizations where the environment emphasizes procedure orientation and compartmentalized work culture imbibed in deep hierarchies. Such systems cause high levels of stress among employees as they are afraid of interacting openly with their co-workers thus resulting in perceptions of lower social support and stress related illness. Hence, the approach becomes autocratic and system centric that almost completely kills creativity, innovation, entrepreneurship, fun and job satisfaction at the work place [Alder. 2001]. There are other scholars that have challenged compliance based cultures in their own ways leading to similar conclusions. From the management perspective, compliance based cultures and many such other non-employee friendly systems are outcomes of primarily the risk management systems which in turn are a mission critical business requirement in the modern world.
But why do organizations end up harming their employee morale & satisfaction by virtue of stringent compliance cultures as a result of implementing Risk Management Systems? I hereby argue that there is nothing wrong with the global best practices rather the management teams of organizations develop threat perceptions after learning about global threats that makes them paranoid about security – and moreover, legal & regulatory requirement add to the compliance pressures. The culprits are not the global best practices but the methodologies employed to implement them in organizations. In this research I have presented the Information Risk Management methodologies that can be very useful for organizations in not only mitigating the risks against the known & emerging threats but also in maintaining employee friendly cultures amidst compliance pressures. The end result shall be enhanced security controls ensuring optimal protection of business without compromising on employee satisfaction thus maintaining their innovativeness & entrepreneurial skills leading to higher business growth in the target markets. The gaps in the existing methodologies have been vetted by a qualitative survey conducted among 325 ISMS and IRM practitioners in multiple organizations where Information Security Management System has been implemented. The output of the literature review and the survey has resulted in strong fundamentals for the proposed Information Risk Management methodologies in this research report.
A sample for this product is available. Please Login/Register to download this sample.