Information Security Risk Management Framework, what is it? Information Security Tutorial


So that brings us now to risk management
so now that we’ve actually set up the platform of of where information
security or information security should be heading we have already set up a team
of people that should be looking into information security we now look at a
risk-based approach towards managing information security so from the first
part first phase we call the first phase of security governance we have actually
said this is my risk management framework and this is the and this our
risk acceptance criteria which had been signed off by the leadership team so
based on that we now look at how do we actually manage that risk so using ISO
31000 and I believe that across almost every other standard they always refer
back to ISO 31000 as well it then provides you with the ability to come up
with a framework to manage risk now within the information security risk
management framework then you have your identification of your risk your
assessment of your risk evaluation your risk and then the the treatment of your
of your risk now all that seems quite easy when you you need to put ok makes
sense but what we need to look now and how do we actually come up with the
measurements that will enable us first to assess and how then are we able to
treat your your risk now in many organizations there is an enterprise
risk management framework or even if you do not have one then it is always good
to actually have a risk management framework in place now where your
organization actually already have an enterprise risk management framework
what we need to do is that taking the information security objective which we
have already outlined in the first phase in security governance looking at the
information security objective align that back to the enterprise risk
management framework and then from there we look at all the elements within the
risk management framework as to populating how do you measure risk so
obviously in risk assessment itself you have the likelihood and the impact of of
a risk eventuated and that should come up from your enterprise risk management
framework so how we always have said that every IT objective should be
aligned to the corporate objective in the same way we say information security
objectives needs to be aligned back to the enterprise risk management framework if just yep so from the information security risk
management if you look at the very first point it says contacts establishment now
you would have noticed that a lot of this would have been already done
upfront during the security governance phase and and that’s why we are able to
divide them the way we do so the the output I should say the output from the
contacts establishment then flows into this particular phase of information
security risk management itself so within the risk management framework
aside from the alignment of the to the enterprise risk management framework we
need to have the understanding of risk governance around them so who are the
people need to be involved with in the risk management framework we bring in
people from from the process the business side we bring in people from IT
because if we look at information security we are not just talking about
IT security we are talking about information security so in an
organization where there is from the time that you collect your information
there are some manual representation of information to some digitalization of
that information then it brings to course that we look at both the manual
information as well as IT side of of the information so when we talk about risk
governance we talk about bringing together the business component of a
business as well as the IT component of the business to look at how we manage
risk so when we start to divide the boundaries of information security we
invite both the business people whom we normally call as process owners and we
bring in the people of IT which we normally call them enablers for our
support team for the business and we start running through the risk
assessment with both teams now coming out from that we have to have an idea
about how do we actually then into those risk so the process owner
obviously will understand what risk is to them they will be able to have an
understand of the process for you to be able to look at risk assessment we must
first understand what is your risk scenarios so what does this scenario
means and enry scenario is something that you can actually get out of copy
the understanding out of the copy practices as well risk scenario
basically what what I like to call it storytelling
so from understanding a process within an organization you will be able to then
understand what controls that you have in place where there is a lack of those
controls then what risk is presented from a lack of those controls so from
from having identified a scenario of a risk it becomes easier than to start
understanding what is the likelihood of that is actually even happening and then
what is the impact if it actually does eventuate without having an
understanding of what risk scenario is it becomes quite difficult for you to
then identify what is the likelihood of it actually happening and then from from
having an understanding of that the next thing that we need to have an
understanding about is how do you then measure to what extent do you think a
particular risk is low what do you view as risk is this medium or high so this
is where a risk matrix table is really important so how do we define a risk
matrix table and then coming back again to to what we have obtained in the first
stage of it is to look at what is defined in the enterprise risk
management framework so from there you are able to then look at the
identification of when a risk is is low is where an impact is low or the the
likelihood of it happening being low as well so what what is important about the
risk matrix table the risk matrix table actually would
tell you to what extent it becomes justifiable for you to actually
implement a control so if a control has got very low risk to an organization it
really doesn’t make much sense for you to to put in a lot of money into
implementing a particular control and vice versa if risk is really high
even though the the likelihood of it actually happening is low you want to
put some controls in place and it’s justifiable for you to to put money into
implementing those controls and which is why we are saying is that why using a
risk based approach to managing information security makes more sense
than just trying to implement security at Hockley across the organization
because in many organizations where you are trying to to to run budgets where
you are trying to fight for resources you are trying to fight for costing of
money you will find that in this tough situations it is always good that you’re
able to prioritize your your your risk so that you can say that these are the
things that I can do today but these are the things that I can read until later
for us to do now once we have run through the risk assessment and we’ve
identified what are the things that we need to do now and what we need to do
later so what we need to do then for each one of those risks that you’ve
identified is to look at what are the measurements that you can then put in
place to look at how successful is a particular control that you have
implemented so for example if you if we are saying that a particular control is
to put a measurement to measure how many security incidents has happened in in
this period of time so if we have measurements to say that the number of
incidents that happen seems to have gone lower by the implementation of a
particular control then you can then report to management to say that it is a
successful is SMS implementation or sorry a successful controls
implementation and and from that the reporting that
needs to go to management provides the close of the loop to say that you have
continuous improvement into your processes in the organization just so at
the end of the day when we talk about information security we can put in a lot
of processes we can put in a lot of frameworks ultimately whether an IMS is
successful or not aside from the measurements that you see at the end of
and at the end of the tunnel is actually about the culture that we have created
in terms of how do everyone in the organization view information security
do I actually understand information security to the extent that every time I
say for example every time I leave my table I could to make sure that I’ve
actually locked out my screen to really actually doing it all the time then I
actually walk out of my table I actually look on the screen so a lot of the time
awareness is good but we have also found out that along with awareness that is
always the contributory factor about the culture that you inculcate in everyone
in the organization so ultimately why we do is ms is that not only to improve the
processes to increase and heighten information security but at the end of
the day you want to create an awareness of information security across the
organization

Leave a Reply