Managing risk response and mitigation in information security
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
To fully manage risk within an organisation and to track the mitigation strategies, a focused approach is required. Most organisations want a positive response to any risk assessment findings. Yet, many IT professionals and consultants approach risk response from a negative standpoint.
Let’s start with a case. A particular consulting firm carries out an information security risk assessment within a particular company. They found a lot of gaps within the business processes and functions. The consultants’ response, according to their client, was alarming.
Every organisation has risk. Stakeholders within the organisation must determine which risk is acceptable, which risk is transferable third parties such as an insurance company or which ones need to be mitigated. Risk is different for various organisations. Therefore, what works in the oil and gas context might not work in the telecommunications space.
As such, to get the right risk response that fits a company’s goals, there needs to be a thorough risk analysis. For example, when looking for privacy risks, the gap analysis revolves around access management, information retention schemes, security, data subject access requests and many more. The search is for these gaps and designing the right response for them. A risk analysis will help an organisation prioritise the response options that are right for them.
In addition to this, it is important that response doesn’t affect the day-to-day business operations. Most IT consultants or professionals forget that the business objectives are top priority, and to maximise efficiency in passing their duties, they must keep this in mind.
One known risk response methodology is the Plan-Do-Check-Adjust (PDCA) life cycle. The model supports continuous improvement. It encompasses the design, implementation, assessing, and adjusting and creating documentation of the controls that will respond to risk.
There are known risk response standards. There is the National Institute of Standards and Technology (NIST) framework, Control Objectives for Information and Related Technology (COBIT) framework, just to mention those two. Organisations must bear in mind that these frameworks have their pros and cons. It is, therefore, imperative to determine the best one that fits the purpose and business missions.
Risk response usually revolves around avoidance, mitigation, sharing and acceptance to lower the risk level organisations face. This will help reduce threats and vulnerabilities, prevent regulatory fines, and help keep the reputation of the company.
A risk mitigation simply put is the application of controls that lower the overall level of risk to reduce the likelihood of the threat exploit, or impact to the asset if the risk were to come to fruition. Some controls can be policies, replacing legacy systems or elimination of a third-party software tool that doesn’t meet ethical standards. The goal is to get the risk down to a level considered acceptable by the leadership in an organisation.
Risk controls fall into broad areas which includes the managerial, technical, operation and preparedness within the organisation. From a managerial standpoint, there needs to be an acceptable use policy to dictate the use information assets.
While from a technical point of view, an organisation can decide to implement additional firewalls to protect internal systems or install an intrusion detection system to monitor for malicious activities or violations of policy.
From an operational perspective, a company can decide to implement segregation of duties procedure to ensure that one person does not have the sole control over key duties, and they can mandate certain baseline knowledge of IT security-related issues and concepts.
There must be tabletop exercises to test the effectiveness of the controls within an organisation. The big question is are the controls working and are they addressing the gaps found out during the risk analysis stage?
Risk response and mitigation are quite interlinked. It is important, however, for companies to design the right response that fits their business missions and determine the right frameworks that fit their business context.