Rethink Your Risk Assessment Lifecycle



Similar documents
CEB Applications Leadership Council. Building an Effective Business Analyst Community

The Cloud Computing Handbook

The State of Hybrid Cloud

Sourcing Handbook. Tactics and Templates for Sourcing Strategy and Vendor Management. CEB CIO Leadership Council

An Unbalanced Scorecard

Organizational Restructuring Toolkit

Running an Effective Office of the CIO

IT Governance. What is it and how to audit it. 21 April 2009

Business Continuity / Disaster Recovery Context

BUSINESS PROCESS MANAGEMENT and IT. Helping Align IT with Business

Governance, Risk, and Compliance (GRC) White Paper

ADVISORY SERVICES. Risk management in an evolving world. Making the case for social media governance. kpmg.com

How To Transform It Risk Management

Enhance visibility into and control over software projects IBM Rational change and release management software

ITIL v3 Process Cheat Sheets

Enterprise Risk Management & Information Technology

ISE Northeast Executive Forum and Awards

Why you should adopt the NIST Cybersecurity Framework

GOVERNANCE DEFINED. Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts

(Instructor-led; 3 Days)

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment

The New Model for IT Service Delivery

Customizing Identity Management to fit complex ecosystems

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Certified Information Security Manager (CISM)

Information Technology Strategic Plan

How To Change A Business Model

The CAM-I Performance Management Framework

Feature. Developing an Information Security and Risk Management Strategy

Business Process Services: A Value-Based Approach to Process Improvement and Delivery

Certified Identity and Access Manager (CIAM) Overview & Curriculum

NCOE whitepaper Master Data Deployment and Management in a Global ERP Implementation

The Business Case for Information Security. White Paper

KPMG s Financial Management Practice. kpmg.com

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

Cisco Unified Communications and Collaboration technology is changing the way we go about the business of the University.

Planning, Building, and Commissioning Assets

Risk Considerations for Internal Audit

Agile Master Data Management TM : Data Governance in Action. A whitepaper by First San Francisco Partners

Information security governance has become an essential

Operationalizing Data Governance through Data Policy Management

Commercial Project Management

ENTERPRISE RISK MANAGEMENT POLICY

Applying IBM Security solutions to the NIST Cybersecurity Framework

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Process Assessment and Improvement Approach

Audit Director Roundtable Asia Emerging Risks Report

Why you should adopt the NIST Cybersecurity Framework

Microsoft s Compliance Framework for Online Services

I S O I E C I N F O R M A T I O N S E C U R I T Y A U D I T T O O L

14 TRUTHS: How To Prepare For, Select, Implement And Optimize Your ERP Solution

Enterprise Security Tactical Plan

Driving Records & Information Management Transformation: Enabling program adoption

Certified Information Professional 2016 Update Outline

P3M3 Portfolio Management Self-Assessment

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

Business Continuity in Healthcare

Applications Executive Council Drivers of Business Analyst Effectiveness

ENTERPRISE MANAGEMENT AND SUPPORT IN THE TELECOMMUNICATIONS INDUSTRY

NEW YORK STATE-WIDE PAYROLL CONFERENCE. Presented to:

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Keys to a Successful Outsourcing Transition

Key Considerations for Information Technology Governance. 900 Monroe NW Grand Rapids, MI (616)

Your Software Quality is Our Business. INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc.

The Compliance and Ethics Essentials Toolkit

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

Making A Case For Project Management

How To Improve Your Business

Driving Business Value. A closer look at ERP consolidations and upgrades

Fortune 500 Medical Devices Company Addresses Unique Device Identification

IT Risk & Security Specialist Position Description

HITRUST CSF Assurance Program

Transform HR into a Best-Run Business Best People and Talent: Gain a Trusted Partner in the Business Transformation Services Group

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013

Leveraging a Maturity Model to Achieve Proactive Compliance

HOW TO USE THE DGI DATA GOVERNANCE FRAMEWORK TO CONFIGURE YOUR PROGRAM

Agency for State Technology

Moving Forward with IT Governance and COBIT

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Validating Enterprise Systems: A Practical Guide

An Oracle White Paper November Financial Crime and Compliance Management: Convergence of Compliance Risk and Financial Crime

Root Cause Analysis Concepts and Best Practices for IT Problem Managers

Determining Data Equity: Capture and Calculate Valuation at Risk

The Business Continuity Maturity Continuum

DEVELOPING AN EFFECTIVE INTERNAL AUDIT TECHNOLOGY STRATEGY

10 Steps to a Successful Digital Asset Management Implementation by SrIkAnth raghavan, DIrector, ProDuct MAnAgeMent

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

The PMO as a Project Management Integrator, Innovator and Interventionist

Strategic Planning. Key Initiative Overview

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Guideline. Records Management Strategy. Public Record Office Victoria PROS 10/10 Strategic Management. Version Number: 1.0. Issue Date: 19/07/2010

IT Services Management Service Brief

fs viewpoint

A Privacy Officer s Guide to Providing Enterprise De-Identification Services. Phase I

Transcription:

Information Security in a Box A Guide for Establishing Baseline Maturity Rethink Your Risk Assessment Lifecycle www.executiveboard.com

INFORMATION SECURITY IN A BOX: A GUIDE FOR ESTABLISHING BASELINE MATURITY Use this roadmap to identify the key steps and illustrative timelines for developing an information security function. For detailed guidance on each of these nine focus areas, see Information Security in a Box: A Guide for Establishing Baseline Maturity. 3 Months 6 Months 9 Months 12 Months 15 Months 18 Months Introduction: Design Your Information Security Function Determine the Structure of Your Function Establish a Governance Model 1. Improve the Effectiveness of Your Security Policies Assess Policy Effectiveness Design a Policy Strategy Develop the Full Policy Stack Define a Policy Review Process 2. Develop a Comprehensive Incident Response Process Define Scope and Conduct Groundwork Set Criteria to Detect and Analyze Incidents Prepare to Contain, Eradicate, and Recover from Incidents Ensure Postmortem Learning 3. Streamline Your Regulatory Compliance Program Develop a Rationalized Compliance Framework Streamline Deployment Decisions Assess and Update Compliance Status Structure the Privacy Program 4. Implement an Effective Data Privacy Program Create an Enterprise Privacy Policy Conduct an Impact Assessment Develop a Privacy Breach Response Plan 5. Rethink Your Risk Assessment Lifecycle 6. Build an Effective Metrics Program Create a Risk Assessment Framework Understand the Design Principles of an Effective Metrics Program Build the Risk Assessment Process Create the Framework for Your Metrics Program Define Risk Treatment Options Define Your Metrics Articulate an Enterprise-Level View of Information Risk 7. Implement an Effective Employee Awareness Campaign 8. Create Your Business Continuity and Disaster Recovery Plan Create the Business Case Identify and Understand Employee Behaviors Conduct Groundwork Design Audience-Focused Awareness Efforts Evaluate Effectiveness Develop a Continuity Framework and Recovery Plan Test and Maintain the Plan

RETHINK YOUR RISK ASSESSMENT LIFECYCLE: EXECUTIVE SUMMARY A Core Competency That a Surprising Number of Organizations Lack Risk assessments a core competency of Information Security are deployed to support a variety of business and security goals, including identifying new or changed levels of risk, clarifying ownership over risk and risk mitigation activities, uncovering areas with inadequate controls, and quantifying and communicating risk levels to IT and business partners. The routine implementation of new laws affecting the enterprise and the rapid adoption of new technologies create a turbulent environment where organized, clearly articulated risk assessment processes are critical to risk management. Surprisingly few organizations have formalized their risk assessment lifecycles, despite this rapidly changing environment and its inherent threats. Beyond implementing or improving their ability to assess risk of specific targets, such as new projects or third parties, security functions are increasingly being called upon to provide more consultative risk assessments. Business leaders use these assessments to inform strategy and major business decisions and usually require Security to articulate an enterprise-level view of information risks. Obstacles to Maturing This Capability Business stakeholders often see Security as an organization that says no and view risk assessment as the primary bottleneck where business projects are denied or delayed. Therefore, business partners may be averse to partnering with Security to formalize the risk assessment process. Security functions may view the need to continually adapt and evolve risk assessments to meet the needs of specific projects, processes, and workflows as a reason to forego standardization entirely. Conducting assessments ad hoc and failing to work from a common language form the foundation for inefficient, frustrating, and minimally effective risk management. What the Best Companies Do Mature companies adopt risk assessment frameworks that allow them to manage information risk in a structured, comprehensive, and cost-effective way. Progressive companies include business stakeholders in every phase of the risk assessment process from developing the framework to applying treatments and anticipating enterprise-level risks. This strong partnership forms the basis for organization-wide understanding of and participation in risk management. CEB provides insights organized into four actionable steps for rethinking your risk assessment lifecycle: 1. Create a Risk Assessment Framework 2. Build the Risk Assessment Process 3. Define Risk Treatment Options 4. Articulate an Enterprise-Level View of Information Risk Rethink Your Risk Assessment Lifecycle 1

Information Security in a Box: A Guide for Establishing Baseline Maturity 2 CEB Information Risk Leadership Council General Manager Warren Thune Executive Director Shvetank Shah Managing Director Kavitha Venkita Practice Manager Jeremy Bergsman Research and Advisory Team Boris Alexandrov Matthew Brumback William Candrick Joshua Downie Yinuo Geng Daniel Howard Parijat Jauhari David Kingston Emma Kinnucan Karolina Laskowska Tim Macintyre Chris Mixter Scott Pedowitz Shilpa Pental Dorota Pietruszewska Carsten Schmidt Alex Stille Content Publishing Solutions Print Designers Nicole Daniels Lindsay Kumpf Contributing Designers Kunal Anand Samira Haksar Casey Labrack Editor Kate Seferian CONFIDENTIALITY AND INTELLECTUAL PROPERTY These materials have been prepared by The Corporate Executive Board Company and its affiliates (CEB) for the exclusive and individual use of our member companies. These materials contain valuable confidential and proprietary information belonging to CEB, and they may not be shared with any third party (including independent contractors and consultants) without the prior approval of CEB. CEB retains any and all intellectual property rights in these materials and requires retention of the copyright mark on all pages reproduced. LEGAL CAVEAT CEB is not able to guarantee the accuracy of the information or analysis contained in these materials. Furthermore, CEB is not engaged in rendering legal, accounting, or any other professional services. CEB specifically disclaims liability for any damages, claims, or losses that may arise from a) any errors or omissions in these materials, whether caused by CEB or its sources, or b) reliance upon any recommendation made by CEB. IREC6816213SYN

Use this diagnostic to assess the maturity of your current risk assessment process and to identify gaps in your program. SELF-DIAGNOSTIC A formally documented, high-level risk assessment process is in place, written in business-friendly language, and can be easily articulated to key business stakeholders. I Strongly Disagree I Disagree It Depends I Agree I Strongly Agree Step 1 Common taxonomies for risks, threats, and controls are in place and known to and understood by key business stakeholders. Risk assessment questionnaires are written in business-friendly language and designed to test for business-specific risks. Security works with business process owners, Audit, and HR to identify highrisk business workflows and to define risk assessment criteria. Step 2 Stakeholders involved in risk decision making are aware of and understand their roles and responsibilities regarding risk treatment. Established risk acceptance guidelines are in place and effectively facilitate decision making by business partners and risk owners. Step 3 Scoring Guideline Nascent 8 18 Baseline 19 29 World Class 30 40 External and internal analysis is routinely conducted to identify which sources of risk are of greatest concern to peer organizations and of potential relevance to our business. Risk assessments are supplemented with an organizational assessment that benchmarks Security s activities, performance, and goals against those of peer organizations. Step 4 Total Score Source: CEB analysis. Rethink Your Risk Assessment Lifecycle 3

DEVELOPING INFORMATION SECURITY S CAPABILITIES Information Security in a Box: A Guide for Establishing Baseline Maturity 4 This study will help you strengthen the maturity of your security organization s ability to rethink your risk assessment lifecycle. Rethink Your Risk Assessment Lifecycle Nascent Baseline World Class No formalized risk assessment framework is in place. Risk assessment questions are generic and have been added to questionnaires over time on an ad hoc basis. Risk owners don t understand their risk treatment and acceptance responsibilities. Security is focused on technical vulnerabilities and cannot articulate emerging risks or top-level information risks from a business perspective. A documented risk assessment framework is in place but is not fully aligned to core business risks. Risk assessment questions themselves are aligned to business risks but are rarely specific enough to generate actionable assessment output. Risk owners know their risk treatment and acceptance responsibilities in theory, but they only reluctantly take part in risk management decisions. Security conducts analysis to anticipate emerging, enterprise-level risks only on an ad hoc basis. Security s risk assessment framework aligns to business risks and is understood by business partners. Risk assessment questions are designed to identify specific business risks, which are in turn mapped to actionable controls. True risk owners routinely and willingly collaborate with Security to make risk management decisions. Security has established a formal process to predict and prepare for new and emerging threat trends. Contact your account director for more details on benchmarking Security s core capabilities.

RETHINK YOUR RISK ASSESSMENT LIFECYCLE 1. Create a Risk Assessment Framework 2. Build the Risk Assessment Process 3. Define Risk Treatment Options 4. Articulate an Enterprise-Level View of Information Risk Key Insights Sample Tools and Templates Create a risk assessment framework aligned to core business activities. Risk assessments designed to be in sync with business processes are more effective at uncovering the risks relevant to key business stakeholders. Risk Assessment Process Overview Risk Assessment Lenses and Types Use taxonomies to establish an enterprise-wide understanding of risks, threats, and controls. Uniform, commonly understood definitions for security terms facilitate risk identification and communication across the enterprise. Where applicable, these terms should align to Enterprise Risk Management (ERM) taxonomies. Risk, Control, and Threat Taxonomies Design a standardized risk rating method that business stakeholders can understand. Standardized risk rating methods enable key business stakeholders to understand risk magnitude information they can use to more effectively make risk acceptance and treatment decisions. Where applicable, these methods should align to ERM risk ratings. Risk Rating Criteria Find these and related tools online in the Information Security in a Box Toolkit at http://ceburl.com/1heu. Rethink Your Risk Assessment Lifecycle 5

Information Security in a Box: A Guide for Establishing Baseline Maturity 6 Risk assessment frameworks establish standardized processes for risk assessment, allowing for a more consistent and therefore more efficient and effective assessment lifecycle. KNOW THE VALUE OF THE FRAMEWORK Risk Assessment Framework Components Identify the type and scope of risk assessments you need. Develop a common language using taxonomies. Be able to talk to business partners about risk. Risk assessment frameworks promote uniform risk identification across the enterprise, cutting down confusion and miscommunication between Security and business partners. Security must consider its organization s unique aspects including business structures, IT business relationships, and business culture to ensure its risk assessment framework produces relevant, actionable results. Become familiar with the range of available risk assessment types. Be able to differentiate between operational and consultative assessments; know the importance of each. Review business activities, goals, and structure to identify priority targets for assessment; ensure planned assessments align to business priorities. Collaborate with crossfunctional partners in Audit, HR, and Legal to reduce overlap and duplication of effort in the assessment process. Establish a common set of terms that define risks, threats, and controls for your organization. Ensure terms are nontechnical and business friendly in nature. Establish a clear, concise, business-aligned process for communicating risk assessment output. Define risk in terms relevant to business partners. Source: CEB analysis. CREATE A RISK ASSESSMENT FRAMEWORK BUILD THE RISK ASSESSMENT PROCESS DEFINE RISK TREATMENT OPTIONS ARTICULATE AN ENTERPRISE-LEVEL VIEW OF INFORMATION RISK

Security will need to apply different types of risk assessment in different situations; these assessment types must be defined within the framework. Operational risk assessments remain a vital competency, but Security will increasingly be required to devote time to consultative assessments that reveal risks outside of technologies. UNDERSTAND AVAILABLE RISK ASSESSMENT TYPES Assessment Typology Consultative Identify risks to key business objectives along with risk treatment options that enable business projects to move forward securely. Engage risk owners in threat and vulnerability identification. Present clear, transparent recommendations to inform risk decision making. Also accomplish all operational assessment goals. Examples Business Entity Risk Assessment: Top-down assessment of an operating entity as a whole, designed to identify top risks; output typically bubbles into ERM/board-level reports and informs information risk strategic plans and priorities. Strategy/Advisory Risk Assessment: Assessment of business decisions that are strategic in nature and have significant cost, value, or market position implications, such as switching from company-provided devices to employee-owned devices or entering into a new market Business Process/Workflow Risk Assessment: Assessment of a sequence of business activities that produces a result of observable value; it is designed to uncover vulnerabilities related to workflow and end-user behavior. Business Capability Risk Assessment: Assessment of a collection of business processes, people, and technology that make up an organization s capacity to achieve a specific objective; business capabilities are typically at a high-enough level to have heterogeneous business stakeholders. Examples of business capabilities include onboarding a new employee or managing the order-to-pay cycle. Operational Identify threats and vulnerabilities to technology projects, assets, and systems, and ensure proper controls are in place. Ensure technologies meet security policies, standards, and regulations. Identify areas of potential security investment. Examples Project Risk Assessment: Assessment of new IT projects, such as upgrading to Windows 7, implementing SharePoint, or buying a new payroll system; assessments of changes to existing assets or processes are also included in this category. Asset-Based Risk Assessment: Targeted assessment of existing technology assets, such as applications, infrastructure, or IT systems Vulnerability Scanning: Broad-based, technical testing of infrastructure to uncover potential vulnerabilities in system configuration Third-Party Risk Assessment: Assessment of suppliers and outsourcers providing a product or service with IT components or involving hosting, sharing, or transfer of corporate data Source: CEB analysis. CREATE A RISK ASSESSMENT FRAMEWORK BUILD THE RISK ASSESSMENT PROCESS DEFINE RISK TREATMENT OPTIONS ARTICULATE AN ENTERPRISE-LEVEL VIEW OF INFORMATION RISK Rethink Your Risk Assessment Lifecycle 7

Information Security in a Box: A Guide for Establishing Baseline Maturity 8 Enterprise structure can serve as a mental map for Security to determine which assessment types will be most appropriate for which projects, processes, workflows, and assets. KNOW WHICH RISK ASSESSMENTS TO USE AND WHERE TO USE THEM Organizational Design of a Typical Enterprise Schematic Risk Assessment Types Understanding enterprise structure also enables Security to determine which types of assessment it will need to conduct most often and which will take the most time, allowing for better resource and staff allocation. Most security functions will need to conduct more operational assessments but will find consultative assessments require more engagement with business partners and are therefore more time-consuming. Business Objectives and Organizational Structure (e.g., business units, business capabilities) Initiatives and Workflows (e.g., business processes, strategic business initiatives) Components of Initiatives and Workflows (e.g., projects, assets) Business Entity Risk Assessment Business Capability Risk Assessment Business Process/Workflow Risk Assessment Strategy/Advisory Risk Assessment Project Risk Assessment Asset-Based Risk Assessment Vulnerability Scanning/Penetration Testing Third-Party Risk Assessment Consultative Operational Source: CEB analysis. CREATE A RISK ASSESSMENT FRAMEWORK BUILD THE RISK ASSESSMENT PROCESS DEFINE RISK TREATMENT OPTIONS ARTICULATE AN ENTERPRISE-LEVEL VIEW OF INFORMATION RISK

Thank You for Your Interest in CEB Research! If you re a member, please log into your account to access the full study. If you would like access to this full study, please contact CEB to learn more. Member Login Contact CEB 2014 CEB. All rights reserved. CIO9884614SYN

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information