Rethink Your Risk Assessment Lifecycle

Transcription

1 Information Security in a Box A Guide for Establishing Baseline Maturity Rethink Your Risk Assessment Lifecycle

2 INFORMATION SECURITY IN A BOX: A GUIDE FOR ESTABLISHING BASELINE MATURITY Use this roadmap to identify the key steps and illustrative timelines for developing an information security function. For detailed guidance on each of these nine focus areas, see Information Security in a Box: A Guide for Establishing Baseline Maturity. 3 Months 6 Months 9 Months 12 Months 15 Months 18 Months Introduction: Design Your Information Security Function Determine the Structure of Your Function Establish a Governance Model 1. Improve the Effectiveness of Your Security Policies Assess Policy Effectiveness Design a Policy Strategy Develop the Full Policy Stack Define a Policy Review Process 2. Develop a Comprehensive Incident Response Process Define Scope and Conduct Groundwork Set Criteria to Detect and Analyze Incidents Prepare to Contain, Eradicate, and Recover from Incidents Ensure Postmortem Learning 3. Streamline Your Regulatory Compliance Program Develop a Rationalized Compliance Framework Streamline Deployment Decisions Assess and Update Compliance Status Structure the Privacy Program 4. Implement an Effective Data Privacy Program Create an Enterprise Privacy Policy Conduct an Impact Assessment Develop a Privacy Breach Response Plan 5. Rethink Your Risk Assessment Lifecycle 6. Build an Effective Metrics Program Create a Risk Assessment Framework Understand the Design Principles of an Effective Metrics Program Build the Risk Assessment Process Create the Framework for Your Metrics Program Define Risk Treatment Options Define Your Metrics Articulate an Enterprise-Level View of Information Risk 7. Implement an Effective Employee Awareness Campaign 8. Create Your Business Continuity and Disaster Recovery Plan Create the Business Case Identify and Understand Employee Behaviors Conduct Groundwork Design Audience-Focused Awareness Efforts Evaluate Effectiveness Develop a Continuity Framework and Recovery Plan Test and Maintain the Plan

3 RETHINK YOUR RISK ASSESSMENT LIFECYCLE: EXECUTIVE SUMMARY A Core Competency That a Surprising Number of Organizations Lack Risk assessments a core competency of Information Security are deployed to support a variety of business and security goals, including identifying new or changed levels of risk, clarifying ownership over risk and risk mitigation activities, uncovering areas with inadequate controls, and quantifying and communicating risk levels to IT and business partners. The routine implementation of new laws affecting the enterprise and the rapid adoption of new technologies create a turbulent environment where organized, clearly articulated risk assessment processes are critical to risk management. Surprisingly few organizations have formalized their risk assessment lifecycles, despite this rapidly changing environment and its inherent threats. Beyond implementing or improving their ability to assess risk of specific targets, such as new projects or third parties, security functions are increasingly being called upon to provide more consultative risk assessments. Business leaders use these assessments to inform strategy and major business decisions and usually require Security to articulate an enterprise-level view of information risks. Obstacles to Maturing This Capability Business stakeholders often see Security as an organization that says no and view risk assessment as the primary bottleneck where business projects are denied or delayed. Therefore, business partners may be averse to partnering with Security to formalize the risk assessment process. Security functions may view the need to continually adapt and evolve risk assessments to meet the needs of specific projects, processes, and workflows as a reason to forego standardization entirely. Conducting assessments ad hoc and failing to work from a common language form the foundation for inefficient, frustrating, and minimally effective risk management. What the Best Companies Do Mature companies adopt risk assessment frameworks that allow them to manage information risk in a structured, comprehensive, and cost-effective way. Progressive companies include business stakeholders in every phase of the risk assessment process from developing the framework to applying treatments and anticipating enterprise-level risks. This strong partnership forms the basis for organization-wide understanding of and participation in risk management. CEB provides insights organized into four actionable steps for rethinking your risk assessment lifecycle: 1. Create a Risk Assessment Framework 2. Build the Risk Assessment Process 3. Define Risk Treatment Options 4. Articulate an Enterprise-Level View of Information Risk Rethink Your Risk Assessment Lifecycle 1

4 Information Security in a Box: A Guide for Establishing Baseline Maturity 2 CEB Information Risk Leadership Council General Manager Warren Thune Executive Director Shvetank Shah Managing Director Kavitha Venkita Practice Manager Jeremy Bergsman Research and Advisory Team Boris Alexandrov Matthew Brumback William Candrick Joshua Downie Yinuo Geng Daniel Howard Parijat Jauhari David Kingston Emma Kinnucan Karolina Laskowska Tim Macintyre Chris Mixter Scott Pedowitz Shilpa Pental Dorota Pietruszewska Carsten Schmidt Alex Stille Content Publishing Solutions Print Designers Nicole Daniels Lindsay Kumpf Contributing Designers Kunal Anand Samira Haksar Casey Labrack Editor Kate Seferian CONFIDENTIALITY AND INTELLECTUAL PROPERTY These materials have been prepared by The Corporate Executive Board Company and its affiliates (CEB) for the exclusive and individual use of our member companies. These materials contain valuable confidential and proprietary information belonging to CEB, and they may not be shared with any third party (including independent contractors and consultants) without the prior approval of CEB. CEB retains any and all intellectual property rights in these materials and requires retention of the copyright mark on all pages reproduced. LEGAL CAVEAT CEB is not able to guarantee the accuracy of the information or analysis contained in these materials. Furthermore, CEB is not engaged in rendering legal, accounting, or any other professional services. CEB specifically disclaims liability for any damages, claims, or losses that may arise from a) any errors or omissions in these materials, whether caused by CEB or its sources, or b) reliance upon any recommendation made by CEB. IREC SYN

5 Use this diagnostic to assess the maturity of your current risk assessment process and to identify gaps in your program. SELF-DIAGNOSTIC A formally documented, high-level risk assessment process is in place, written in business-friendly language, and can be easily articulated to key business stakeholders. I Strongly Disagree I Disagree It Depends I Agree I Strongly Agree Step 1 Common taxonomies for risks, threats, and controls are in place and known to and understood by key business stakeholders. Risk assessment questionnaires are written in business-friendly language and designed to test for business-specific risks. Security works with business process owners, Audit, and HR to identify highrisk business workflows and to define risk assessment criteria. Step 2 Stakeholders involved in risk decision making are aware of and understand their roles and responsibilities regarding risk treatment. Established risk acceptance guidelines are in place and effectively facilitate decision making by business partners and risk owners. Step 3 Scoring Guideline Nascent 8 18 Baseline World Class External and internal analysis is routinely conducted to identify which sources of risk are of greatest concern to peer organizations and of potential relevance to our business. Risk assessments are supplemented with an organizational assessment that benchmarks Security s activities, performance, and goals against those of peer organizations. Step 4 Total Score Source: CEB analysis. Rethink Your Risk Assessment Lifecycle 3

6 DEVELOPING INFORMATION SECURITY S CAPABILITIES Information Security in a Box: A Guide for Establishing Baseline Maturity 4 This study will help you strengthen the maturity of your security organization s ability to rethink your risk assessment lifecycle. Rethink Your Risk Assessment Lifecycle Nascent Baseline World Class No formalized risk assessment framework is in place. Risk assessment questions are generic and have been added to questionnaires over time on an ad hoc basis. Risk owners don t understand their risk treatment and acceptance responsibilities. Security is focused on technical vulnerabilities and cannot articulate emerging risks or top-level information risks from a business perspective. A documented risk assessment framework is in place but is not fully aligned to core business risks. Risk assessment questions themselves are aligned to business risks but are rarely specific enough to generate actionable assessment output. Risk owners know their risk treatment and acceptance responsibilities in theory, but they only reluctantly take part in risk management decisions. Security conducts analysis to anticipate emerging, enterprise-level risks only on an ad hoc basis. Security s risk assessment framework aligns to business risks and is understood by business partners. Risk assessment questions are designed to identify specific business risks, which are in turn mapped to actionable controls. True risk owners routinely and willingly collaborate with Security to make risk management decisions. Security has established a formal process to predict and prepare for new and emerging threat trends. Contact your account director for more details on benchmarking Security s core capabilities.

7 RETHINK YOUR RISK ASSESSMENT LIFECYCLE 1. Create a Risk Assessment Framework 2. Build the Risk Assessment Process 3. Define Risk Treatment Options 4. Articulate an Enterprise-Level View of Information Risk Key Insights Sample Tools and Templates Create a risk assessment framework aligned to core business activities. Risk assessments designed to be in sync with business processes are more effective at uncovering the risks relevant to key business stakeholders. Risk Assessment Process Overview Risk Assessment Lenses and Types Use taxonomies to establish an enterprise-wide understanding of risks, threats, and controls. Uniform, commonly understood definitions for security terms facilitate risk identification and communication across the enterprise. Where applicable, these terms should align to Enterprise Risk Management (ERM) taxonomies. Risk, Control, and Threat Taxonomies Design a standardized risk rating method that business stakeholders can understand. Standardized risk rating methods enable key business stakeholders to understand risk magnitude information they can use to more effectively make risk acceptance and treatment decisions. Where applicable, these methods should align to ERM risk ratings. Risk Rating Criteria Find these and related tools online in the Information Security in a Box Toolkit at Rethink Your Risk Assessment Lifecycle 5

8 Information Security in a Box: A Guide for Establishing Baseline Maturity 6 Risk assessment frameworks establish standardized processes for risk assessment, allowing for a more consistent and therefore more efficient and effective assessment lifecycle. KNOW THE VALUE OF THE FRAMEWORK Risk Assessment Framework Components Identify the type and scope of risk assessments you need. Develop a common language using taxonomies. Be able to talk to business partners about risk. Risk assessment frameworks promote uniform risk identification across the enterprise, cutting down confusion and miscommunication between Security and business partners. Security must consider its organization s unique aspects including business structures, IT business relationships, and business culture to ensure its risk assessment framework produces relevant, actionable results. Become familiar with the range of available risk assessment types. Be able to differentiate between operational and consultative assessments; know the importance of each. Review business activities, goals, and structure to identify priority targets for assessment; ensure planned assessments align to business priorities. Collaborate with crossfunctional partners in Audit, HR, and Legal to reduce overlap and duplication of effort in the assessment process. Establish a common set of terms that define risks, threats, and controls for your organization. Ensure terms are nontechnical and business friendly in nature. Establish a clear, concise, business-aligned process for communicating risk assessment output. Define risk in terms relevant to business partners. Source: CEB analysis. CREATE A RISK ASSESSMENT FRAMEWORK BUILD THE RISK ASSESSMENT PROCESS DEFINE RISK TREATMENT OPTIONS ARTICULATE AN ENTERPRISE-LEVEL VIEW OF INFORMATION RISK

9 Security will need to apply different types of risk assessment in different situations; these assessment types must be defined within the framework. Operational risk assessments remain a vital competency, but Security will increasingly be required to devote time to consultative assessments that reveal risks outside of technologies. UNDERSTAND AVAILABLE RISK ASSESSMENT TYPES Assessment Typology Consultative Identify risks to key business objectives along with risk treatment options that enable business projects to move forward securely. Engage risk owners in threat and vulnerability identification. Present clear, transparent recommendations to inform risk decision making. Also accomplish all operational assessment goals. Examples Business Entity Risk Assessment: Top-down assessment of an operating entity as a whole, designed to identify top risks; output typically bubbles into ERM/board-level reports and informs information risk strategic plans and priorities. Strategy/Advisory Risk Assessment: Assessment of business decisions that are strategic in nature and have significant cost, value, or market position implications, such as switching from company-provided devices to employee-owned devices or entering into a new market Business Process/Workflow Risk Assessment: Assessment of a sequence of business activities that produces a result of observable value; it is designed to uncover vulnerabilities related to workflow and end-user behavior. Business Capability Risk Assessment: Assessment of a collection of business processes, people, and technology that make up an organization s capacity to achieve a specific objective; business capabilities are typically at a high-enough level to have heterogeneous business stakeholders. Examples of business capabilities include onboarding a new employee or managing the order-to-pay cycle. Operational Identify threats and vulnerabilities to technology projects, assets, and systems, and ensure proper controls are in place. Ensure technologies meet security policies, standards, and regulations. Identify areas of potential security investment. Examples Project Risk Assessment: Assessment of new IT projects, such as upgrading to Windows 7, implementing SharePoint, or buying a new payroll system; assessments of changes to existing assets or processes are also included in this category. Asset-Based Risk Assessment: Targeted assessment of existing technology assets, such as applications, infrastructure, or IT systems Vulnerability Scanning: Broad-based, technical testing of infrastructure to uncover potential vulnerabilities in system configuration Third-Party Risk Assessment: Assessment of suppliers and outsourcers providing a product or service with IT components or involving hosting, sharing, or transfer of corporate data Source: CEB analysis. CREATE A RISK ASSESSMENT FRAMEWORK BUILD THE RISK ASSESSMENT PROCESS DEFINE RISK TREATMENT OPTIONS ARTICULATE AN ENTERPRISE-LEVEL VIEW OF INFORMATION RISK Rethink Your Risk Assessment Lifecycle 7

10 Information Security in a Box: A Guide for Establishing Baseline Maturity 8 Enterprise structure can serve as a mental map for Security to determine which assessment types will be most appropriate for which projects, processes, workflows, and assets. KNOW WHICH RISK ASSESSMENTS TO USE AND WHERE TO USE THEM Organizational Design of a Typical Enterprise Schematic Risk Assessment Types Understanding enterprise structure also enables Security to determine which types of assessment it will need to conduct most often and which will take the most time, allowing for better resource and staff allocation. Most security functions will need to conduct more operational assessments but will find consultative assessments require more engagement with business partners and are therefore more time-consuming. Business Objectives and Organizational Structure (e.g., business units, business capabilities) Initiatives and Workflows (e.g., business processes, strategic business initiatives) Components of Initiatives and Workflows (e.g., projects, assets) Business Entity Risk Assessment Business Capability Risk Assessment Business Process/Workflow Risk Assessment Strategy/Advisory Risk Assessment Project Risk Assessment Asset-Based Risk Assessment Vulnerability Scanning/Penetration Testing Third-Party Risk Assessment Consultative Operational Source: CEB analysis. CREATE A RISK ASSESSMENT FRAMEWORK BUILD THE RISK ASSESSMENT PROCESS DEFINE RISK TREATMENT OPTIONS ARTICULATE AN ENTERPRISE-LEVEL VIEW OF INFORMATION RISK

11 Thank You for Your Interest in CEB Research! If you re a member, please log into your account to access the full study. If you would like access to this full study, please contact CEB to learn more. Member Login Contact CEB 2014 CEB. All rights reserved. CIO SYN