Information Security Risk Management: Build a Strong Program

Are your mission-critical data, customer information, and personnel records safe from intrusions from cybercriminals, hackers, and even internal misuse or destruction?

If you’re confident that your data is secure, other companies had the same feeling:

• Target, one of the largest retailers in the U.S. fell victim to a massive cyber attack in 2013, with personal information of 110 million customers and 40 million banking records being compromised. This resulted in long-term damage to the company’s image and a settlement of over 18 million dollars.
• Equifax, the well-known credit company, was attacked over a period of months, discovered in July 2017. Cyber thieves made off with sensitive data of over 143 million customers and 200,000 credit card numbers.

These are only examples of highly public attacks that resulted in considerable fines and settlements. Not to mention, damage to brand image and public perception.

Kaspersky Labs’ study of cybersecurity revealed 758 million malicious cyber attacks and security incidents worldwide in 2018, with one third having their origin in the U.S.

How do you protect your business and information assets from a security incident?

The solution is to have a strategic plan, a commitment to Information Security Risk Management.

What is Information Security Risk Management? A Definition

Information Security Risk Management, or ISRM,  is the process of managing risks affiliated with the use of information technology.

In other words, organizations need to:

• Identify Security risks,  including types of computer security risks.
• Determining business “system owners” of critical assets.
• Assessing enterprise risk tolerance and acceptable risks.
• Develop a cybersecurity incident response plan.

Building Your Risk Management Strategy

Risk Assessment

Your risk profile includes analysis of all information systems and determination of threats to your business:

• Network security risks
• Data & IT security risks
• Existing organizational security controls

A comprehensive IT security assessment includes data risks, analysis of database security issues, the potential for data breaches, network, and physical vulnerabilities.

Risk Treatment

Actions taken to remediate vulnerabilities through multiple approaches:

• Risk acceptance
• Risk avoidance
• Risk management
• Incident management
• Incident response planning

Developing an enterprise solution requires a thorough analysis of security threats to information systems in your business.

Risk assessment and risk treatment are iterative processes that require the commitment of resources in multiple areas of your business: HR, IT, Legal, Public Relations, and more.

Not all risks identified in risk assessment will be resolved in risk treatment. Some will be determined to be acceptable or low-impact risks that do not warrant an immediate treatment plan.

There are multiple stages to be addressed in your information security risk assessment.

6 Stages of a Security Risk Assessment

A useful guideline for adopting a risk management framework is provided by the U.S. Dept. of Commerce National Institute of Standards and Technology (NIST). This voluntary framework outlines the stages of ISRM programs that may apply to your business.

1. Identify – Data Risk Analysis

This stage is the process of identifying your digital assets that may include a wide variety of information:

Financial information that must be controlled under Sarbanes-OxleyHealthcare records requiring confidentiality through the application of the Health Insurance Portability and Accountability Act, HIPAA

Company-confidential information such as product development and trade secrets

Personnel data that could expose employees to cybersecurity risks such as identity theft regulations

For those dealing with credit card transactions, compliance with Payment Card Industry Data Security Standard (PCI DSS)

During this stage, you will evaluate not only the risk potential for data loss or theft but also prioritize the steps to be taken to minimize or avoid the risk associated with each type of data.

The result of the Identify stage is to understand your top information security risks and to evaluate any controls you already have in place to mitigate those risks. The analysis in this stage reveals such data security issues as:
Potential threats – physical, environmental, technical, and personnel-related

Controls already in place – secure strong passwords, physical security, use of technology, network access

Data assets that should or must be protected and controlled

This includes categorizing data for security risk management by the level of confidentiality, compliance regulations, financial risk, and acceptable level of risk.

2. Protection – Asset Management

Once you have an awareness of your security risks, you can take steps to safeguard those assets.

This includes a variety of processes, from implementing security policies to installing sophisticated software that provides advanced data risk management capabilities.

• Security awareness training of employees in the proper handling of confidential information.
• Implement access controls so that only those who genuinely need information have access.
• Define security controls required to minimize exposure from security incidents.
• For each identified risk, establish the corresponding business “owner” to obtain buy-in for proposed controls and risk tolerance.
• Create an information security officer position with a centralized focus on data security risk assessment and risk mitigation.

3. Implementation

Your implementation stage includes the adoption of formal policies and data security controls.

These controls will encompass a variety of approaches to data management risks:

• Review of identified security threats and existing controls
• Creation of new controls for threat detection and containment
• Select network security tools for analysis of actual and attempted threats
• Install and implement technology for alerts and capturing unauthorized access

4. Security Control Assessment

Both existing and new security controls adopted by your business should undergo regular scrutiny.

• Validate that alerts are routed to the right resources for immediate action.
• Ensure that as applications are added or updated, there is a continuous data risk analysis.
• Network security measures should be tested regularly for effectiveness. If your organization includes audit functions, have controls been reviewed and approved?
• Have data business owners (stakeholders) been interviewed to ensure risk management solutions are acceptable? Are they appropriate for the associated vulnerability?

5. Information Security System Authorizations

Now that you have a comprehensive view of your critical data, defined the threats, and established controls for your security management process, how do you ensure its effectiveness?

The authorization stage will help you make this determination:

• Are the right individuals notified of on-going threats? Is this done promptly?
• Review the alerts generated by your controls – emails, documents, graphs, etc. Who is tracking response to warnings?

This authorization stage must examine not only who is informed, but what actions are taken, and how quickly. When your data is at risk, the reaction time is essential to minimize data theft or loss.

6. Risk Monitoring

Adopting an information risk management framework is critical to providing a secure environment for your technical assets.

Implementing a sophisticated software-driven system of controls and alert management is an effective part of a risk treatment plan.

Continuous monitoring and analysis are critical. Cyber thieves develop new methods of attacking your network and data warehouses daily. To keep pace with this onslaught of activity, you must revisit your reporting, alerts, and metrics regularly.

Create an Effective Security Risk Management Program

Defeating cybercriminals and halting internal threats is a challenging process. Bringing data integrity and availability to your enterprise risk management is essential to your employees, customers, and shareholders.

Creating your risk management process and take strategic steps to make data security a fundamental part of conducting business.

In summary, best practices include:

• Implement technology solutions to detect and eradicate threats before data is compromised.
• Establish a security office with accountability.
• Ensure compliance with security policies.
• Make data analysis a collaborative effort between IT and business stakeholders.
• Ensure alerts and reporting are meaningful and effectively routed.

Conducting a complete IT security assessment and managing enterprise risk is essential to identify vulnerability issues.

Develop a comprehensive approach to information security.

PhoenixNAP incorporates infrastructure and software solutions to provide our customers with reliable, essential information technology services:

• High-performance, scalable Cloud services
• Dedicated servers and redundant systems
• Complete software solutions for ISRM
• Disaster recovery services including backup and restore functions

Security is our core focus, providing control and protection of your network and critical data.

Contact our professionals today to discuss how our services can be tailored to provide your company with a global security solution.