Home > Articles > The Seven Laws of Information Risk Management

The Seven Laws of Information Risk Management

May 25th, 2005

The productivity and cost savings associated with relying on technology to streamline internal operations, better arm sales forces and communicate more effectively with partners and customers are enormous. The Achilles´ heel of this otherwise economical strategy is that terabytes of proprietary digital data can be taken by external or internal sources and used for ill-gotten gain causing irreparable damage to the organization and its customers.

In an effort to mitigate risks, the Seven Laws of Information Risk Management were created.

Though data manipulation and theft are global issues, the United States has had more than its fair share of headlines. Names such as ChoicePoint, LexisNexis and DSW have recently grabbed the media´s attention. Each could have been avoided through proactive Information Risk Management and the resulting financial loss, customer defection, costly reputation damage, legal liability and disruption to business operations would have been prevented.

Across the globe, safeguarding information has spurred hundreds of regulations designed to force companies to comply with basic guidelines, ensure customer and investor information is safe from internal and external breaches, and trace, authenticate and successfully prosecute information thieves. Many of the regulations are clear in their intent, but vague in terms of what constitutes compliance. The Seven Laws of Information Risk Management aim to clarify how organizations can achieve compliance, while better connecting people, process and technology.

The increased attention on data privacy and security necessitates the enforcement of strict database security and Information Risk Management policies. Perimeter-based security, encryption, traditional security approaches and database management systems cannot stop thieves with legitimate authorization. These insiders are already within the perimeter security and can abuse authorized user privileges. Only a strong lifecycle solution based on user behavior can provide organizations with effective and reliable first and last lines of defense.

Information Risk Management is about detecting breaches, catching and successfully prosecuting offenders, deterring similar breaches and providing mechanisms for re-establishing data integrity. The Seven Laws of Information Risk Management provide a common sense-based framework for securing the information businesses rely on.

1. Your partners and employees will steal from you

You are ultimately responsible for how your employees and business partners access and use your data. Today´s information theft debacles are the tip of the iceberg. As globalization and interconnectedness increases without proper vetting and security, employees, customers and trading partners can accidentally corrupt your data or cause regulatory compliance issues through misuse of the data. In the worst-case scenario, they can steal the confidential data and sell it. Information Risk Management technology continuously learns corporate, customer and partner user behavior patterns and alerts to changes in these patterns.

2. Bust up policy barriers

Security, auditing, regulatory affairs and privacy impact the entire organization and should not be kept in departmental silos. People, process and technology must be integrated. A crucial element is that the organization´s security executive must have the authority and budget to develop, implement and enforce a holistic information security plan. The mindset of “implied trust” between systems, employees and trusted partners is no longer valid. Information Risk Management technology uses data governance frameworks to integrate business functions, control processes, employee education and cultural values.

3. It´s all about privacy

You can´t have privacy without security and you can´t meet regulatory compliance without privacy. Security is a building block for privacy, which is a major component of regulatory initiatives. For example, CA1386, HIPAA and GLBA in the United States and the Japan Information Privacy Law are primarily about privacy. The fundamental weakness to such laws is they cannot protect your brand, sensitive data, business continuity or financial position against a breach. Implementing a comprehensive information risk management solution helps you achieve privacy and compliance through security.

4. Don´t stop working

Effective Information Risk Management should not radically alter work or its flow. Examples are rife of organizations implementing draconian policies that substantially reduce productivity and impair customer service, while providing questionable security benefits. Securing information is fundamentally about protecting data integrity, confidentially and availability at rest and as it moves through the organization and beyond to the value chain. As such, Information Risk Management must protect information “in context” of business processes, decisions and evolving conditions.

5. Don´t spend foolishly

You must match the level of Information Risk Management investment directly to the level of risk. Business process owners should determine risk profiles of the organization´s data. For instance, customer data has a much higher risk profile than a marketing brochure PDF. The resulting risk management portfolio is an essential guide to selecting the necessary technologies. The next step is evaluating the risk reduction on investment.

For each dollar invested, ascertain the quantitative and qualitative risk mitigated by the technology. Every organization has an optimal risk reduction on investment tipping point.

6. Be afraid – it will happen to you

Expect the unexpected by assigning responsibilities before a privacy breach occurs. Information theft only happening to the “other guy” is just a myth and the chance is greater than 50 percent that it has already happened at your organization. Access to customer demand forecasts, financial records and patents is very valuable, not just to your trusted partners, but also to thieves and harvesters. Protecting against abused authorized user privileges should top the list of priorities. Ernst & Young recently reported that 70% of all security breaches that involve losses of more that $100,000 are perpetrated internally.

7. No silver bullet

There is no single technology that will solve security problems or provide regulatory compliance! Proper planning of how people and processes should leverage technology and enforce business rules and security best practices is key to a successful Information Risk Management strategy. The right Information Risk Management solution should be judged on its vulnerability assessment, monitoring, auditing and deterrence functionality. Also important are global support for heterogeneous databases, compliance reporting and cost efficiency. Remember that Information Risk Management is a process that requires continuous monitoring, auditing and adjustment of how sensitive information is used – not just an initial risk assessment.

Articles

Comments are closed.