Building a Security Risk Management Program

Building-a-Security-Risk-Management-Program

The frequency of data breaches today highlights the need to peel back the onion on security programs and identify a laser-focused mission and ultimate goal. As a compliance manager, I know the horror stories first hand.

Let’s take a deeper dive into security and risk management basics to enable your program to add value for your business and help prevent breaches.

Security Risk Management Foundations

It all starts with a fundamental management-supported, skilled and budgeted security program.  Security programs are not a cut and paste of your neighbors’ security program.  Each program is unique, and must be tailored to your organization and its risks, forming an integral component of an enterprise risk management (ERM) program.

The goal is to identify areas of risk to the organization, its people, processes, technology and environment, and to drive management to implement controls to limit the exposure.  This, like any risk program, plays a trifecta balancing game between the risk, cost and benefit.

How ISO 27001 Can Help

The ISO 27001 jump starts a program by providing a well-structured framework for developing an Information Security Management System (ISMS), driven by solid corporate requirements (see Figure 1).  The ISO 27001 contains the key areas required by a security program, in addition to the details that are required within each area.  Well accepted internationally, it helps satisfy customer requests for solid security programs—and future certification (if this is your goal).

security risk drivers

Figure 1: Corporate risk drivers help determine the requirements for your security risk management program.

Knowing your organization carries a huge advantage over others and includes the people, the culture, the IT infrastructure, the assets…you may even know the regulatory and legal requirements for information security.  Knowing the processes, how things work (or how you think they do) is a big advantage, but this is only the beginning.

Meetings with key management and teams across the organization solidify connections and generate a detailed picture of the organization, risk status and controls across existing processes.  The data collected, once analyzed, provides input into the ISMS program, including: assets, risk owners, control owners, risks, and more.  You will find that time brings success if you stay engaged in the process.

I have found that employees/consultants, not spending 100% of their time involved in the ISMS, provide limited value to a continuous risk program, unless the organization is very small.  Business is constantly changing and along with it the risks.  Not being in the “zone” constantly depletes the value of your risk program. So, where to from here….

Identify Your Assets / Ask the Right Questions

Breached organizations might ask these questions:

  • Did we focus on ‘the gold’? — or assets, as we like to call them in the info security world — such as customer credit card numbers and biometric data
  • Did we fully understand the threats and risks to the business?
  • Was management made aware of the output of the above (if any)?

Risk management is there to ultimately protect an organizations’ key assets. So, start identifying them.  Assets include information, processes, systems, infrastructure and people in the organization.

A significant impact to any of these can affect the core business and ultimately management’s core objectives.  Threats are not only IT’s! …threats take advantage of vulnerabilities in any area of the business (Figure 2).

layered security

Figure 2: Layered security is key. Threats take advantage of vulnerabilities in any area of the business.

Start by asking:

  • What are my most sensitive assets?
  • What are my areas of highest risk to them?
  • How are we protecting those assets? – THINK!!! People, Process, Technology and Physical
  • Does that approach make sense?
  • What risk (residual risk) remains and is that acceptable to management?

Following these fundamental questions and making decisions leads to building a security risk program.  Outlined below are solid building blocks for a program, with a focus on three key areas.

Building the Protection Program

ISO 27002

The first makes use of the ISO 27002 standard controls, to focus on the relevant business areas and their baseline implementation guidelines.  With over 100 controls outlined in detail, this provides an excellent starting point.

Documentation

This is a tough one, but to establish a solid program requires documentation that aligns with the business processes, and is reviewed and approved by management.  There are three main reasons why documentation helps build integrated security controls (and why not to include it as an add on):

  • Gaining clarity of the actual processes
  • Officially assigning the control owners responsibility to perform the process and related controls, as outlined
  • Management review and approval of the new processes, generating commitment to the process via responsibility

NOTE: Generic purchased or provided documents are a great start, but unless tailored to your organization they do not serve for much.  Refer to the ISO 27001, for more details on the documentation process.

Team Effort

One cannot work in isolation when building the ISMS program.  You need a team effort and to rely on other risk-focused business areas of the organization similar to yours.  Your risk buddies include legal, IT and finance. There may be other risk partners, depending on the size of your organization.  The help of experienced internal or external assessors is an integral part of the team and enables one to perform technical assessments, audits and reviews to identify gaps and where threats can claim a victory.

Be Kind, Tough and Smart

Info security professionals must be kind, tough and smart (in no specific order). When building the security risk program many look at us—the auditor or compliance manager—as the enemy (or worse!). But like any good relationship, you must appreciate what each other brings to the table—understand each person has their own responsibilities and unique challenges in performing their job for the organization.

As the security SME, you will often need to stand your ground on matters of security recommendations and best practices, but strive to do so in a matter-of-fact way.  Once the security program begins to show value to the business and stakeholders, any adversarial feelings usually start to change. This is not an overnight reaction and may take dedication and focus—and as the subject matter expert, one helping them to manage their risks so they stay out of trouble.

Your smarts will help you shine: you will begin to gain the compliance managers’ trust; help keep them honest; and reduce the threats and business risks, which is the ultimate goal. In some cases, you will help to support their budget requests for resources, additional infrastructure, and more.

Useful Resources

Hopefully these tips prove helpful as you build out a security program and work with internal stakeholders and compliance team members. Below you’ll find links to additional information that could be useful.

ISO 31000 Risk Management

COSO Enterprise Risk Management