Information Security Risk Management

The framework can be used to describe information risk management and linkage between the business needs and IT.

Risk Ownership and Management

One of the important aspects of Information Risk management is who owns the risk and who is responsible for managing the risk to the organization. The business organization model has been overlaid with to show who owns the risk and who is responsible for managing risk.

The IT department runs security infrastructure that manage the risk to the applications but the information asset owners of the business information being processed is within the business divisions. The responsibility for agreeing the controls lies within the business divisions and the implementation is within the IT division.

Another example at the group level would be the consolidated accounts for the year which they own with the IT department securing the systems producing this information.

The ownership of risk extends into the IT organization who own assets such as user lists, password files, log files etc.

Information-Security-Risk-Management

Figure 3: Information Security Risk Ownership and Management

To ensure the appropriate risk is managed and the controls applied, the information assets and the business processes need to be identified and owners assigned.  The business processes and information assets are processes by IT systems. The IT division and the business divisions have the responsibility for managing these systems.

Identifying the business processes and the information assets is not easy and finding people who will accept ownership can also be a challenge. An approach to identifying assets and assigning owners is described in the section Baseline Controls Strategy.

Information Resource Types

Information-Security-resource-types

Figure 4: Information Resource Types

Information Risk Management Operational Model
Information-Risk-Management-Model

Figure 5: Information Risk Management Model

Business and IT View

The three-layer framework can be elaborated in further detail by creating a model that links business direction through to the IT components.

The business direction is set from the group through a business strategy and policy. The strategy and policy will define the approach to deployment and implementation of security and business continuity controls.

Business-and-IT-Component-View

Figure 6: Business and IT Component View

The business division in turn, defines products and services that are supported by the implementation of business applications.  To ensure the confidentiality, integrity and availability of these applications, the business will need to define and implement controls to protect the information assets and business processes being protected by these applications.

The IT department will provide common security services to be used by the applications.  For example, the flow control service would contain components such as firewalls to protect the business applications and web screening to prevent misuse of resources. These services will reside on physical IT components and be supported by processes and procedures that are secured at the software or hardware component level.

The following sub-sections contain more detail on each of these layers.

 Business Direction

The strategy and policy of an organization will be defined at the group level and will have a significant impact on the way security controls are required. The strategies that need to be considered include, but are not limited to, both the business and information security strategies.

The business strategy of an organization may define the route to market for an organization. The use of the internet and wireless has had a great influence on the risks to an organization. The business strategy may also indicate the sort of products and services being sold. This may impose legal, regulatory or governance requirements that have an impact on security.

This has become more important in the world of outsourcing, partnerships, alliances, acquisitions, mergers and Business to Business (B2B) where the level of trust between business areas must be well understood. The level of sharing and co-operation may vary based on what information, products or services they are providing and to whom.

The security organization should define the security strategy and policy at group level. The security strategy of an organization may indicate the approach to delivery of security and the focus that is being placed on security. The security policy will define the controls required for an organization.

The security strategy and policy should be defined as a business function to protect information and business processes. Unfortunately, too often security is considered an IT function. As a result the security policies and standards focus on the technical controls for IT. They miss out the need to look at controls for physical and paper based security. This can expose their business to risks relating to legal and regulatory requirements that are not being met, especially as most significant losses or abuse of information has not been a result of ?poor technology’ alone.