Mastering IT Risk Assessment

The foundation of your organization’s defense against cyber theft is a mastery of IT risk assessment. It is an essential part of any information security program, and in fact, is mandated by regulatory frameworks such as SSAE 16, SOC 2, PCI DSS, ISO 27001, HIPAA and FISMA.

Compliance with those frameworks means that your organization not only has to complete an IT risk assessment but it must also assess and address the risks by implementing security controls.

In the event of a breach, an effective IT risk management plan—which details exactly what your IT department is going to do and how they’re going to do it—and implementation of the critical security controls that have the potential to save your organization millions of dollars in direct response costs, legal fees, regulatory fines, and costs associated with rebuilding a damaged corporate reputation.

Evaluating the potential compliance, operational and reputational risks to your organization and then ranking their importance and likelihood is not easy. Even more challenging is developing and then implementing the IT risk management plan. If your IT department is undergoing an IT risk assessment now or strengthening its cybersecurity strategy, look to qualified industry professionals and innovative technologies to help you master the process and stay compliant.

Here are six tips to keep in mind:

1. Get professional help. Hire an independent third party auditor and/or attorney. Your IT hosting provider may even provide compliance and auditing services. These consultants can provide a comprehensive risk analysis, audit assistance and privacy and security guidance, including identifying potential risks, exposures and liabilities.

2. Use private cloud technology to protect sensitive data. Moving all or part of your infrastructure to a professionally managed, compliant private cloud offers benefits that drive business value. Your organization’s data and apps are hosted by experts in an environment that is independently audited for the specific regulatory compliance that you need, which is a big help in passing your own audit. Also, your IT department is freed up to focus on strategic projects without bearing the burden of solving compliant hosting complexities, hassling with maintenance and support, managing staff allocations, and providing expensive training.

3. Invest in annual IT risk assessments. Be sure to work with an unbiased, fully independent auditing team, which typically includes certified engineers and compliance experts. Comprehensive risk assessments pinpoint the many risks faced by your organization and address network security vulnerabilities. They are designed to give you the education, expertise, support and protection that you need to plan your security strategy, pass your audits and maintain a continuously-compliant IT environment.

4. Schedule frequent penetration testing and vulnerability scans. These uncover critical IT vulnerabilities and show how well you are protecting your network and data. Ask your auditors, compliance experts or compliant hosting provider to perform monthly or quarterly tests, help you to establish critical processes (such as data encryption and hardened authentication), and develop a clear understanding of how to avoid IT compliance disasters. Get a full report on external, internal and web application testing as well as strategies for remediation.

5. Ensure application security.  A good auditor or compliance team can help secure the design, development and deployment of your web-facing applications by thoroughly assessing any vulnerabilities and addressing design flaws or security gaps that impact compliance. Managing and remediating risks now saves time and money later.

6. Educate employees about security.  Frequent security awareness trainings and daily reminders throughout the workplace will help reduce violations. Your auditor or compliance team should customize a workplace awareness program for your business. Ensure that the training is situational and fully engaging.

Executive Focus Shifting to Operational Risks in 2015, Study Finds

Board members and C-suite executives across industries perceive the global business environment in 2015 as somewhat less risky for organizations than in the past two years. In “Executive Perspectives on Top Risks for 2015,” consulting firm Protiviti and the Enterprise Risk Management Initiative at the North Carolina State Univeristy Poole College of Management found that this is far from bad news for risk managers, as organizations are actually more likely to invest additional resources for risk management. Internal challenges like succession, attracting and retaining talent, regulation and cybersecurity are drawing the most attention, according to the report.

“Our survey findings indicate that operational risk issues are keeping many senior executives up at night,” said Mark Beasley, Deloitte Professor of Enterprise Risk Management and NC State ERM Initiative director. Indeed, for the third consecutive year, regulatory changes and heightened regulatory scrutiny ranked as the number one risk on the minds of board members and corporate executives, with 67% indicating that it will “significantly impact” their organizations. More than half of global survey respondents indicated that insufficient preparation to manage cybersecurity threats is a risk that will “significantly impact” their organizations in 2015, pushing cyberrisk up three spots from last year to the third-greatest risk.

The Top 10 Risks for 2015

The top 10 risks identified in the annual risk survey, along with the percentages of respondents who identified each risk as having a “Significant Impact” on their business, were:

1. Regulatory changes and heightened regulatory scrutiny may affect the manner in which our products or services will be produced or delivered (67%)

2. Economic conditions in markets we currently serve may significantly restrict growth opportunities for our organization (56%)

3. Our organization may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt our core operations and/or damage our brand (53%)

4. Our organization’s succession challenges and ability to attract and retain top talent may limit our ability to achieve operational targets (56%)

5. Our organization’s culture may not sufficiently encourage the timely identification and escalation of risk issues that have the potential to significantly affect our core operations and achievement of strategic objectives (51%)

6. Resistance to change may restrict our organization from making necessary adjustments to the business model and core operations (49%)

7. Ensuring privacy/identity management and information security/system protection may require significant resources for us (52%)

8. Our organization may not be sufficiently prepared to manage an unexpected crisis significantly impacting our reputation (46%)

9. Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in our existing customer base (48%)

10. Our existing operations may not be able to meet performance expectations related to quality, time to market, cost and innovation as well as our competitors (46%)

The survey also identified differing perceptions of the current risk environment between boards of directors and members of the executive team. CEOs and boards of directors reported more optimism about risk issues, while CFOs and chief audit executives perceived a more risky business environment. “Given encouraging signs in the economy, we’ve observed an overall shift in focus from macroeconomic risks to operational risks, which had the greatest increase in risk scores from 2014. Notably, however, CEO respondents remained extremely focused on macro trends affecting their business,” Beasley said.

Check out the infographic below for more of the study’s key findings:

Protiviti Top Risks for 2015

Risk Management and Business Continuity: Improving Business Resiliency

Preparing for and responding to negative events, from the mundane to the catastrophic, from the predictable to the unforeseen, has become a fact of life for businesses and governments around the world. We don’t have to look any further than the seemingly daily reports of cyberattacks on governments, corporations and individuals to comprehend the severity of the problem.

Tackling these risks requires an integrated and holistic framework with the capability to identify, evaluate and adequately define responses to the circumstances. For more and more organizations, this means adapting an enterprise risk management (ERM) model. ERM seeks to identify all threats—including financial, strategic, personnel, market, technology, legal, compliance, geopolitical and environmental—that would adversely affect an organization. This holistic approach gives organizations a better framework for mitigating risk while advancing their goals and opportunities in the face of business threats. But in order to implement and continuously manage this enterprise-wide model there is a critical need for closer integration of two typically distinct roles within the organization—business continuity management (BCM) and risk management. Together, these two vital elements make up a robust ERM plan and have a tremendous impact on an organization’s ability to contend with interruptions to the execution of organizational activities.

Put in the simplest terms, risk management is concerned with minimizing the probability of and destruction caused by negative events. Operational risk management, as the name implies, must cope with interruptions at the operational level. Recognizing that there are inherent imperfections in systems, people, facilities and general operational functions, the essence of operational risk management is to negate or reduce the probability of an incident occurring. Focusing upon incident-specific, site-specific analysis of potential causes of interruptions, risk managers seek to preclude incidents from occurring. If elimination of the risk is not possible, the focus moves to minimizing the results of the negative event.

For example, suppression systems reduce the risk of operational disruption caused by fire damage. Redundant equipment decreases the possibility of operational interruption resulting from machine breakdown and redundant communications help maintain connectivity. By analyzing past events and examining known hazards (defined flood plains, hurricane-prone areas, construction sites, earthquake areas and terrorism-prone areas) operational risk management seeks to avoid the occurrence of negative destructive events.

But creating strategies to minimize the probability that an event will impact an organization certainly will not prevent the incident from taking place. No degree of preparation can stop a tornado, tsunami or other massively destructive event. So understanding that every incident is not preventable, our other line of defense is to minimize the impact. That’s where BCM comes in. BCM is concerned with minimizing the impact upon the entity after an event occurs and restoring the organization to its normal operations and delivery of products and services as quickly and safely as possible. In short, BCM helps maintain the viability of an entity under duress.

Because it is event-neutral, BCM is able to categorize effects into four distinct categories:

  • Effects on facilities, making them inaccessible or unusable
  • Effects on operational capability, such as supply chain interruptions, processing errors or staff unavailability
  • Effects on technology
  • Effects on the organization itself, ranging from financial problems to intellectual property rights.

When an event inevitably does occur, the optimal goal is to make any business interruptions imperceptible to those outside the affected organization. Here’s an example of how risk management and business continuity management, working together, enabled an organization to achieve that goal:

One of the world’s most important foreign exchange dealers realized that, as an occupant of a high rise building, it could not control the consequences of all incidents that might impact its ability to service its customers, which were some of the largest financial institutions in the world. A review by the company’s risk manager determined that there was a likelihood of an interruption in service as a result of construction work in the surrounding area. To reduce the risk, it was recommended that they install redundant lines and route them through alternative conduits into the building. So they undertook building redundancy in their telecom network. In addition, the risk of server failure was similarly high and so mirroring was implemented to duplicate all transactions and ensure that no data would be lost in the event of a failure of the building’s infrastructure.

Despite all the precautions to reduce risk, what risk management couldn’t control was an East Coast blackout that terminated power to its operation. Recognizing the impact that a loss of power could have, including the loss of use of the facility, the business continuity professional determined that a robust contingency plan was required.

The business continuity plan included a strategy that automatically forwarded incoming calls to another facility outside the U.S. and also provided connectivity to its back-up technology center. When the blackout hit, the business continuity plan worked exactly as tested. Phones were switched, systems were accessible and, best of all, customers never knew the difference. The company was actually more prepared than many of its customers who failed to provide similar capabilities and had to cease trading.

The combination of risk management and business continuity provides the level of resiliency that most organizations must achieve in light of the uncertainty that exists today. The blend will reduce uncertainty and promote a more stable operating environment.