What is Risk Management in Information Security?
The need to protect our personal information is now just as important as protecting our physical possessions because the damage it can lead to if left unprotected can be catastrophic. Information security, often referred to as 'Infosec', refers to the measures we take to protect our data and information systems, both physical and digital. The nature of much of the information organisations process means that it can be very valuable to others. Things like payment card information, names and addresses, bank information and so on, can all be valuable to cyber criminals looking to make easy money. This quality means cyber security is increasingly an important part of our working lives.
Security risks can lead to data breaches which can lead to financial losses, reputational damage and disruptions to operations. Without proper risk management, organisations stand to lose out.
Information Security Risk Management (ISRM) Explained
Risk management means that companies can forecast and evaluate the potential risks that may face them, and from there, devise procedures to avoid or mitigate the risks. The constant threat from cyber-criminals means that having an ISRM plan is crucial for survival in this digital age of business.
Information security risk has several important components:
- Threat factor: Whether it is a human or non-human factor that exploits a vulnerability
- Vulnerability: What is it that the threat actor exploits
- Outcomes: The result of exploiting the vulnerability
- Impact: Unwanted consequences from the incident
- Asset: The information, process, technology that was affected by the risk
Assuming that the information system at risk cannot be changed at all, the only component that can be altered is its vulnerability. ISRM is the process of identifying, understanding, assessing and mitigating risks through their vulnerabilities. In addition to identifying risks and the associated mitigation actions, a risk management method and process will help to identify information assets that need protecting.
How ISRM Works
If a company already has an enterprise risk management (ERM) program, then an ISRM can be an effective supporting strategy. The difference is that an ERM programme is much broader in the sense that it is the process of planning, organising, leading, and controlling the activities of a business with the aim to minimise risk on an organisation's capital and earnings, rather than cyber security risks. ERM looks at general enterprise risk, including financial, strategic and operational risks, as well as accidental losses.
Building an ISRM means using certain resources published by the National Institute of Standards and Technology (NIST) so that you meet certain expectations when it comes to ISRM:
- NIST Special Publication 800-39, Managing Information Security Risk
- NIST Special Publication 800-30, Guide for Conducting Risk Assessments
The whole process is about identifying your assets, vulnerabilities and threats. Then assessing these findings to work out your level of threat. From there, you can move onto the treatment of risks you've worked out from previous assessments.
What's really important is maintaining constant communication within the organisation. This means that everyone understands the severity of the problem if it isn't dealt with accordingly, because at the end of the day, everyone is affected if risks become a data breach. Another point to stress is that the problem isn't something that can be tackled once and then left to its own devices; information security needs to be continuously monitored so that awareness levels remain strong and so that systems are properly protected.
The business process of risk management is an ongoing task, and its success will come down to how well risks are assessed, plans are communicated, and roles are upheld. Identifying the critical people, processes and technology, creates a solid management framework for the organisation to have a strategy and program which can be developed further over time.