Transcription
WHITEPAPER7 STEPS TO BUILDA GRC FRAMEWORKALIGNING BUSINESS RISK MANAGEMENTFOR BUSINESS-DRIVEN SECURITY
CONTENTS2Defining Business-Driven Security3Challenges to a Business-Driven Security Approach3Enabling Business-Driven Security Using Business Risk Management4Aligning Your Organization’s Risk Appetite and Information Security5Conducting Information Risk Assessments7Establishing Your Business Risk Management Framework87-Step Methodology for Business Risk Management Framework9 Step 1: Define What Information Needs to be Protected Step 2: Identify the Location and Amount of Important Information Step 3: Assess Inherent Risk and Evaluate its Acceptability Step 4: Evaluate Risk Treatments Step 5: Assess Residual Risk Step 6: Document Processes and Enterprise Risk and Controls Step 7: Provide Visibility and ReportingAddressing Security Vulnerabilities and Incidents23RSA Solutions and Services for Business-Driven-Security23Summary25Table 1 – Inherent Risk Assessment Example26Table 2 –Residual Risk Assessment Example27Glossary of Terms28
DEFINING BUSINESS-DRIVEN SECURITYCompanies around the world are trying their best to manage informationsecurity, but without a holistic understanding of the risk, they are only able toaddress a small sliver of the problem. Security teams often purchase the latestnew security gadget or system in hopes of stemming security threats, whilethe business risk of information security breaches continues to increase forthe organization. Despite these security investments, organizations still findit difficult to put security details in the necessary business context to makethe right investments in information security, or to react appropriately wheninformation security vulnerabilities and incidents are identified.Business-Driven Security is an approach to understanding, managing, anddepicting information security risk into the context, terms, and manner thatare most efficiently and effectively utilized by the organization’s businessleaders, executive management, and board of directors. Understanding andcommunicating information security in terms of its impact to the overallbusiness leads to better business decisions and more efficient allocation ofhuman and capital resources to manage information security.This fusion of information security insights with business context is criticalin helping organizations know where to make strategic information securityinvestments. It creates an explicit linkage between what the securitytechnology indicates, and what that means in terms of risk to your business. Itenables organizations of all sizes to take command of their evolving securityposture in this uncertain, high-risk world, to reduce risk and ensure protection of what matters most.CHALLENGES TO A BUSINESS-DRIVENSECURITY APPROACHA recent Ponemon Institute survey of executives found that 59 percent areconcerned with their organization’s ability to stay operational following a databreach involving high-value information assets, such as trade secrets andconfidential corporate information. However, 53 percent indicated their seniormanagement’s greater concern is a breach involving credit card information orSocial Security numbers.3While these executives understand the data they control could havesignificant impact if it were subjected to unauthorized access, alteration, ordestruction, they are not prioritizing this information consistently. Moreover,they likely do not know where their organization’s most critical informationresides, which leads to misallocation of people, processes, and technologies to manage information security. Embracing a Business-Driven Securitystrategy enables senior managers to align key business priorities with securityinformation, to ensure properly prioritized response in the event of asecurity crisis.
A business-driven approach to information security enables your organization’s management team and board to answers questions such as: What information is important to our organization?Where is this information handled, stored, processed, transmitted, andarchived?In the absence of controls and risk transfer, what is the likelihood that thisimportant information can be stolen, altered, destroyed, or inaccessible fora period of time? And what is the impact to our organization?Are these risks of enough significance to warrant devoting human andcapital resources to mitigate and transfer the risk?Where significant risks have been identified, are the committed human andcapital resources adequate to effectively mitigate and transfer the risks?Where information security vulnerabilities and weaknesses have beenidentified, are resources being devoted to remediation on a prioritizedbasis, relative to the business risk presented to our organization?If an incident occurs, how bad could things get?ENABLING BUSINESS-DRIVEN SECURITY WITHBUSINESS RISK MANAGEMENTIt is the fiduciary obligation of senior management and the board of directorsto ensure that management of information security risk is consistent with therisk appetite of the organization in order to adhere to strategies and meetobjectives. While organizations do not have enough resources to entirelyeliminate risk, applying a Business-Driven Security approach enables organizations to more intelligently allocate limited resources to the biggest informationsecurity risks.No organization can achieve its objectives without taking risks but therisk-taking must be well understood and managed to ensure that it isappropriate to achieve the organization’s objectives without jeopardizingthe organization’s existence. Organizations can optimize this balance byembracing business risk management — applying governance, risk and compliance (GRC) concepts and best practices and implementing a framework— to collect and organize information that is relevant for management ofinformation security risk. Business risk management makes GRC actionable,enabling organizations to improve business performance through reduced riskand more informed decision making. Organizations can define and enforceaccountability for risk and compliance issues, and drive efficiencies by automating processes. It also provides collaboration on risk issues across businesslines and organizational boundaries and improves visibility by consolidatingdata and enabling risk analytics across the organization.4
Business-Driven Security relies on the implementation of a framework for collecting and organizing information relevant to information risk management.A business risk management framework is a catalog of the organizational elements and their interrelationships that are necessary to ensure the success ofthe organization meeting its objectives and managing its risk and complianceobligations. These elements include strategies and objectives, products andservices, policies and procedures, authoritative (regulatory) sources, businessprocesses and sub-processes, third parties, and IT infrastructure elements(web services, IT software applications, IT systems, databases, and data storesboth inside and outside of the cloud), and risks and controls.ALIGNING YOUR ORGANIZATION’S RISK APPETITEFOR INFORMATION SECURITYNo organization can achieve its objectives without taking risks. Your organization’s “risk appetite” defines the maximum amount of risk your organization is willing to take to achieve strategic business objectives. Deciding thetypes and amounts of risk to take and managing risk within those constraintsis essential to increasing the likelihood that your organization will meet itsobjectives. In effect, your organization’s risk appetite sets the parameters forprioritizing which risks need to be addressed and treated.Within the organization’s overall risk appetite, “cyber risk appetite” definesthe maximum amount of loss or harm an organization is willing to take relatedto its technical infrastructure or use of technology. By broad definition, cyberrisk appetite also includes “information risk appetite,” the maximum amountof loss, destruction, alteration, or unauthorized disclosure of the organization’s information or the information it maintains for customers, partners, andcounterparties.CYBER RISK APPETITE DEFINES THE MAXIMUM AMOUNTOF LOSS OR HARM AN ORGANIZATION IS WILLING TOTAKE RELATED TO ITS TECHNICAL INFRASTRUCTURE ORUSE OF TECHNOLOGY.Questions to consider when setting your organization’s information riskappetite include: 5What type of information does our organization maintain about itself andothers? What information is most important?How much and what type of information could our organization “afford” tolose or have stolen, altered, destroyed, or made inaccessible?
At what magnitude would information that is lost, stolen, altered, destroyed, or inaccessible result in unacceptable publicity?At what magnitude of information loss, theft, alteration, destruction, or inaccessibility would our organization experience significant costs, includingrecovery, compensation, litigation, and regulatory fines and sanctions?An information risk appetite acknowledges the reality of today’s informationsecurity threats, establishing a pragmatic threshold to which risk should bemanaged. While the natural tendency of organizations is to say they do notwant any information to be lost, stolen, altered, destroyed, or inaccessible, noorganization has the time or money necessary to protect 100 percent of theirinformation with 100 percent certainty at all times.Calculating information risk through ongoing assessments using defined andproven methodologies, as well as both quantitative metrics and qualitativerisk elements, is critical in determining how much risk your organization iswilling to accept to achieve specific business goals or objectives. Determining your organization’s information risk appetite cannot be a point-in-timeexercise; it must be an ongoing process, involving constant evaluation andre-evaluation.Organizations often also establish “risk tolerance” thresholds. These are almost always less than the related risk appetite and represent the level of riskthe organization is willing to take on a day-to-day or transaction-by-transaction basis (Figure 1).6Figure 1 – Risk Taking Thresholds
Information risk appetite should be set by the CEO, CISO (Chief InformationSecurity Officer), CLO (Chief Legal Officer), and CRO (Chief Risk Officer),codified by the board of directors as applicable, and shared throughout theorganization to establish day-to-day operating risk tolerances. Informationrisk appetite is not a strictly technical issue; rather, it ties together operationalrisk, information risk, and enterprise risk, and requires conversation acrosstechnical and non-technical functions. The strategic conversation is about therisk the organization is willing to take on and what priority should be placedon information risk management. Defining and communicating risk appetite iscritical in helping your organization know where to invest time and resourcesfor the greatest impact.CONDUCTING INFORMATION RISK ASSESSMENTSIn keeping with the guidelines provided in ISO31000-2009 Risk Management – Principles andGuidelines, and NIST 800-30 rev. 1, Guide forConducting Risk Assessments, a basic approach torisk assessments (Figure 2) begins with identifyinginformation owned or managed by the organizationand determining what information is important.Once this business context has been established,you must assess the information’s inherent risk.The “inherent risk” assessment is the process ofestimating the worst-case likelihood and impactof threats to the information being lost, stolen,altered, destroyed, or inaccessible as the result ofmalicious or unintentional acts originating internallyor external to the organization, including man-madeand natural disasters.Next, inherent risk is evaluated against the level ofrisk the organization is willing to take. If inherentrisk exceeds risk tolerance, the organization maychoose to reduce the amount of information atrisk, accept the risk, or apply risk treatments, whichmay include implementing information securitytechnologies, manual controls, and risk transfer(cyber insurance) to lower the risk.Figure 2 - Risk Assessment Approach7
After these risk decisions are complete and risk treatments have been appliedand are operating, risk is assessed on a residual basis. Residual risk to theorganization of an information asset being stolen, altered, destroyed, or madeinaccessible is, in essence, the worst case risk to the organization (i.e. inherentrisk) modified by the design and operating effectiveness of each risk treatment to lower the likelihood and/or impact of the threat to the informationasset. Practically speaking, residual risk can never be greater than inherentrisk, nor can residual risk be reduced to zero since no set of controls are ever100 percent effective.Once residual risk is calculated, it is again compared with the organization’srisk appetite. If the risk is still too high, more risk treatments should beapplied, the activity reduced, and/or the risk accepted. Risks that are to beaccepted should be cataloged and routed for approval by managers withintheir delegated authority to accept risk. If the risk being accepted is deemedsignificant enough, it should be accepted by the board of directors. These riskacceptance decisions are revisited on a periodic basis to ensure they still alignwith the organization’s risk tolerance and appetite.To perform meaningful and consistent risk assessments, organizations mustagree on risk management-related terminology and practices, including: How assessments will be performed The definitions of inherent and residual risk Risk scoring and risk rating scales that will be used to depict riskOrganizations with established enterprise risk management or operational riskmanagement functions are well advised to align these approaches with theirinformation risk management programs. This makes it easier to roll up different kinds of risk in a comparable fashion.ESTABLISHING YOUR BUSINESS RISKMANAGEMENT FRAMEWORKA “business risk management framework” is a catalog of organizational elements and their interrelationships that are necessary to ensure the success ofthe organization in meeting its objectives and managing its risk and complianceobligations. These elements include strategies and objectives, products andservices, policies and procedures, authoritative (regulatory) sources, businessprocesses and sub-processes, third parties, and IT infrastructure elements (webservices, IT software applications, IT systems, databases, and data stores), andrisks and controls.A business risk management framework for Business-Driven Security providessenior management and the board with critical insight regarding:8
What information is important to our organizationWhere this important information is handled, stored, processed, transmitted, and archivedWhat the inherent risk is to our organization if this important information islost, stolen, altered, destroyed, or inaccessible for a period of timeWhether inherent risks are significant enough to devote human and capitalresources to mitigate and transferWhere significant risks have been identified, whether the committed human and capital resources are adequate to effectively mitigate and transferthe risksHow much needs to be spent to lower risk within our organization’s riskappetiteWhere the gaps are in our control environment, why they are important,who is responsible for correcting them, and when they will be correctedIf an information security incident occurs, what infrastructure elementscould be involved and what the impact to the organization could beWhether we should buy cyber insurance, which risks should be covered,and how much we should buyWhether we are in compliance with our regulatory obligations aroundinformation security7-STEP METHODOLOGY FOR A BUSINESS RISKMANAGEMENT FRAMEWORKBased on best practices and industry standards, this seven-step methodologyprovides organizations with the business risk management framework necessary for Business-Driven Security.STEP 1: DEFINE WHAT INFORMATION NEEDS TO BEPROTECTEDThe organization’s first step in establishing a Business-Driven Securityapproach to risk managements determining whether the organization handlesinformation that needs to be protected. This determination could be donewith a quick assessment. Typically, an organization documents and evaluatesits strategies and objectives, the products and services being delivered (orplanned to be delivered), and the regulatory obligations the organization issubject to across the jurisdictions where it does business.9Elements that should be captured to identify potentially important information that may be deemed important to protect include organizational structure and business jurisdictions, strategies and objectives, product and services, policies and procedures, and regulatory obligations (Figure 3).
Figure 3 – Identifying information that may be important to your organizationThese interconnected relationships illuminate the following business context: Strategies and objectives typically span the organization, rather than residing within one area of the business. Products and services are deliveredrelative to strategies and objectives, and how they are delivered varies bydivision, business unit, and jurisdiction.Strategies and objectives are often enabled or constrained through amyriad of policies, regulatory obligations, and covenants within the variousjurisdictions where the organization does business.Products and services are often delivered only within constraints of policiesand procedures and regulatory obligations. One need look no further thanthe Food and Drug Administration (FDA), consumer banking laws, HIPAA(Health Insurance Portability and Accountability Act), GLBA (Gramm-LeachBliley Act), PCI (Payment Card Industry), and the EU-GDPR (General DataProtection Regulation) to appreciate the requirements for bringing productsto market and maintaining them in the market over the long run, withoutincurring material fines or sanctions or inviting litigation.Having cataloged and depicted the interrelationship of strategies, objectives,products and services, policies and procedures, regulatory obligations, andorganizational structure, the organization is now in a position to answer thefollowing: 10Are any strategies or objectives being pursued that, if publicly disclosed oracquired by competitors or others, would impair our organization’s abilityto achieve strategies and objectives? This includes information that mayput persons at risk of physical or financial harm, or information aboutstrategic plans related to market strategy, customers, geographies, mergers,acquisitions, new product development, etc.
Does our organization offer any products or services that require the collection, processing, and/or storage of information that, if publicly disclosed,accessed by unauthorized persons, lost, altered, destroyed, or inaccessible,would impair our organization’s ability to achieve our strategies and objectives? Examples include collection of personal, healthcare, and credit cardinformation from customers.Do any products that we offer rely on proprietary information or intellectual property that, if publicly disclosed or acquired by competitors, would impair our ability to achieve our strategies and objectives? Examples includecomputer software source code, “secret formulas,” and designs for productmanufacturing.What policies and procedures does our organization have in place relatedto classification, collection, and handling of information? The intersectionof information-related policies and procedures with the organization’sstrategies, objectives, and products and services helps to determine whatinformation is important to protect.What laws and regulations is our organization subject to, related to thecollection and handli
pliance (GRC) concepts and best practices and implementing a framework — to collect and organize information that is relevant for management of information security risk. Business risk management makes GRC actionable, enabling organizations to improve business performance through reduced risk and more informed decision making.File Size: 913KB
