Subscribe
  • Home
  • /
  • TechForum
  • /
  • Managing information risk is a corporate governance requirement

Managing information risk is a corporate governance requirement


Johannesburg, 05 Aug 2004

Organisations need to safeguard and protect their information. Information risk management as described in this article will provide management with a view of those information systems that pose a risk to the organisation. This will enable top management to focus and prioritise resources in order to manage information risk across an organisation.

With corporate governance being a top priority and with King II being published in SA, it is now clear that the board, directors and management have a duty to protect the information resources. This is a tall order for organisations, especially since the lack of a method for determining information risk has made it impossible to keep information risk under full management control.

Information risk

Information risk is the chance or possibility of damage (financial, reputational or other) being caused to a business as a result of a loss of the confidentiality, integrity or availability of information. Information risk is an important aspect of operational risk that needs to be managed. In order to do so, it is important to understand what is critical to the organisation and the risk ranking of the information system in order to protect the information adequately.

[TABLE]Information is found in many forms as indicated in Fig 1.1. Electronically it usually stored in information systems such as business applications, operating systems, databases and network infrastructure. Hard copy information not stored in information systems is excluded as it is based on information systems, therefore this should be considered if hard copy information is critical to the business.

Security management framework

Many organisations strive to be compliant with BS7799 (ISO 17799, SANS 17799) requirements. According to BS7799 part two, organisations should establish and maintain documented information security management systems that includes performing an appropriate risk assessment. The risk assessment should identify the "threats to assets, vulnerabilities and impacts on the organisation and shall determine the degree of risk" - BS7799.

Information risk management

Top management would like to know what is critical to the business with a view of the total environment and the risk areas. In order to do this, organisations should adopt a structured process to obtain this information. This article provides guidance as to what to include in the approach and the other methodologies that could be adopted to help you achieve this.

KPMG`s information risk services approach depicted in figure 1.2 describes a structured process for carrying out a risk assessment. The approach has been adopted for managing information risk in an organisation that will provide top management with a view of information risk in the organisation in order to prioritise resources. The approach can be adopted by an organisation whereby the risk assessment is performed and then an action plan is devised to reduce risk to an acceptable level. This is key to ensure that the action plan is carried out in order to reduce risks. The success of the process will be the continuous monitoring whereby management can see risk profile changes related to improvements, or a reduction in controls that can immediately indicate the information systems that need to be further protected.

Business application owners and support personnel would be required to complete a questionnaire to provide the risk status of the application. It is recommended that this be facilitated to ensure consistency. The other method would be to provide guidelines. However, in our experience it is often not completed by the business owners timely, therefore facilitation is recommended. During facilitation it is important to make sure that it is clear that the damage caused would be to the organisation and not only to the business unit, otherwise the results have the risk of indicating what is critical to the business unit rather than the overall organisation. The security or risk management function should coordinate the activities and collate the results. Once the results have been completed, it is advisable to hold a workshop with the relevant business owners and security and risk management functions to present the results and discuss any business applications that do not appear to be adequately reflected. This is important as a reasonability check.

The results provide top management with a risk ranking of all the information systems and in addition, the following information will be gathered:

* Documented information systems and related infrastructure;

* The criticality of the information systems: Criticality is a value that indicates the relative importance of the information system to the organisation. The criticality of each application is probed by enquiring about the confidentiality, integrity and availability requirements of each application;

* Controls and control weaknesses: The controls are assessed by using a set of best practice controls, for instance Information Security Forum`s Standard of Good Practice (ISF SOGP), ISO 17799 or Control Objectives for Information and related Technology (COBIT);

* Incidents: The actual number of incidents is measured against the level acceptable to management. Incidents are analysed in three categories: those incidents that resulted in the confidentiality of information being compromised; those that affected the integrity of data; and those that caused unavailability of the application.

* Business impact: The business impact of the actual incidents indicates the severity of incidents that materialised during the previous 12 months.

Risk proposition

In order for a risk ranking to be obtained, a risk formula should be adopted that will provide you with the information systems risk to the organisation. Based on risk assessment theory, it is the fundamental proposition that the level of risk associated with an information asset is the product of the asset`s value, threats and vulnerabilities. As the significance of any of these factors increases, the relevant risk also increases. Conversely, reducing any of these factors will significantly reduce the relevant risk. All three factors must be understood before it is possible to assess risk in a reliable manner.

Risk = Asset Value x Threat x Vulnerability

* Asset value is measured in terms of importance of an information asset to the firm`s strategy or continuity from the perspective of availability, integrity, and confidentiality (criticality).

* Threats are measured in terms of events or actions that could have a negative impact on the availability, integrity, or confidentiality of an information asset (incidents and business impact).

* Vulnerabilities are measured in terms of the absence, inadequacy, or inconsistency of facilities and processes that are deployed to protect the asset from the identified threats (control weaknesses).

The above formula can be written as:

Risk = Criticality x (Incidents + Business Impact) x Control Weaknesses

To bring risk down to an acceptable level, reduce control weaknesses and incidents and business impact. Criticality is not controllable in the immediate term, therefore one cannot control or change the results unless a business decision is made to change the existing use.

Risk management

Management will be provided with a risk ranking of the information systems. This will highlight the highest information risks to the organisation. It is important that management firstly analyses the results of the risk assessment to determine whether the risks are too high to accept. Where the risks are unacceptable, management should determine what controls should be implemented to reduce risk to an acceptable level. The incidents, business impact and the controls should be analysed in conjunction to determine the action plan to implement or improve controls. By improving controls, the control weaknesses will improve, and incidents and the business impact thereof should reduce. The risk will then also reduce based on the risk calculation. In some instances, management might decide to accept the risks due to the nature of the information systems. This should be documented and communicated appropriately.

Who can assist with this process?

KPMG`s Information Risk Monitoring methodology has been developed by using the Information Security Forum`s (ISF) Standard of Good Practice (SOGP) as a framework which is freely available. In addition, ISF has also developed a risk assessment called Fundamental Information Risk Management (FIRM) that provides organisations with a structured process for performing a risk assessment. ISF is an independent, not for profit association that organisations can become a member of by paying an annual fee. At present, the members include over 250 leading organisations. Tools are also available to assist with gathering of information. Citicus is one such tool and has rights to the FIRM methodology.

[TABLE]The important point about using tools and other organisations to assist you is that it should be tailored to your environment. There is no such thing as a one-size-fits-all approach and this should be avoided.

Lessons learnt

From providing this service, we have discovered areas that further bolster the approach. Firstly, many organisations want a business process view, therefore it is recommended that one understands what business process the information system forms part of. It might even be preferable to firstly understand the critical business process and then understand what information systems support this business process.

Another apparent issue is getting the information collated and consistently applying the ratings across the company. To overcome these problems it is advisable to facilitate the process. Apart from the facilitation assisting in consistency between business owners, it is also important to explain that even though your business application did not make the critical list, it is still important to the business. Also, once the process is explained that the critical systems will be subject to a controls assessment and will be ranked according to the risk to the organisation, then business owners usually accept the criticality rating of important but not critical in a more favourable light. In addition, facilitation assists the business owners to complete the information and when they have questions regarding rating the damage, this can be resolved during the facilitation session.

There are other lessons learnt, however, the success is dependant on how the organisations customise the approach to the environment and communicating is key throughout the process.

Conclusion

[TABLE]Successful management of information security must be an enterprise-wide commitment, supported from the top down. Security management should form part of an organisation`s overall information security strategy and information risk should be addressed by performing risk assessments in order to protect organisations` information from harm.

Share