The first step in managing information risk is understanding the elements, drivers and impacts of information risk. In a recent poll Evantix asked “What are biggest impacts to your IT Risk program?”
a. Justifying value of comprehensive program
b. Cost of program to execute, maintain
c. Integration with business objectives
d. Managing partners and service providers
e. All of the above
Overwhelming, the response came back ALL OF THE ABOVE! Most enterprises are faced with the task of justifying a comprehensive IT Risk Management program that is both expensive to operate and maintain. The risk management program must and align with the current business objectives and fulfill the risk management needs of the corporation. These are difficult tasks; managing the risks of multiple company divisions while simultaneously managing the risks of every vendor, supplier and service partner.
This discussion focuses on the drivers of information risk to develop a core understanding of information risk and the requirements to manage information risk within an organization. Part II of this series will look closer at the trends in information technology risk and business, including a focus on IT risk management capabilities. Part III of this series will build on Parts I and II to develop a methodology to measure IT risk in a meaningful way that can be used within the across the enterprise and supplier network.
How Experts View Risk
Traditionally, risk management experts look at risk from two perspectives: The likelihood of the event; and the consequences if the event does occur. If you review the information security breach events since 2003 from these two perspectives it becomes very evident what threats have major and what threats have minor consequences.
Figure 1 below illustrates this by charting “probability” of a security event having impact on the organization on a scale from “Rare” to “Almost Certain” on the Y axis. For example, the probability of your organization having lost or stolen media is very probable and the potential for a complete loss of a data center is very improbable.
The impact to the company is measured across the X axis on a scale from “Insignificant” to “Catastrophic”. A lost backup tape can have devastating consequences and are often catastrophic.
Managing risk across an organization can be difficult especially in large enterprises with multiple business units across vast geographic areas. Managing risk is not eliminating risk and therefore the best process is to find a balance in impact of the specific risk and the cost of mitigating the risk.
Using this information the chart clearly indicates the most common and damaging breach over the past has been lost or stolen media. This scale of information can be used to design a risk management program that focuses on preventing/managing the risks of the highest impact and most likely events.
Figure 1
Balancing Risk
Traditionally risk management decisions are pushed down the organization level to match the level of threat. Department level managers are expected to respond to minor risks, business unit or middle management to manage the moderate risks, and executive management to handle the more significant risks.
Finding the right balance between the levels of IT risk management capabilities and level of risk driven by the business is difficult. To addresses this, many companies have turned to IT risk management optimization. This is the art of balancing the organization’s investment in controls, policies, processes, and people with the level of risk produced by the business through daily internal operations and those increasingly complex external facing activities such as outsourcing, merger and acquisitions, and partnerships.
Trends in IT Risk Management
There are a number of significant trends in the area of IT risk management that enable optimization while adding significant value to both the IT organization as well as core business processes such as outsourcing, merger and acquisitions, compliance management, and the management of 3rd party relationships. Figure 2 illustrates the elements of the balance of managing risk.
Figure 2
Businesses are going through constant change and organizations are finding it difficult to keep up with the business outsourcing partners, trading partners, business partners, vendors, and suppliers. The use of regulated and sensitive data throughout the organization is unknown. These unknown relationships make keeping up with new and changing government regulations (e.g. SOX) and industry regulations (e.g., PCI) a constant challenge.
Risk Management
To understand the risk of any relationship, regardless if it is an internal business unit or an outside supplier, you must first understand the inherent risk. Inherent risk is a measurement of the value or exposure from the relationship. Mitigating controls counteract the inherent risk to provide a lower level of risk. Residual risk is the risk that remains from the original inherent risk after the mitigating controls are applied. This can be loosely thought of as:
Residual Risk = Inherent Risk – Mitigating Controls
To manage the risk of an entity (e.g. business unit, supplier, vendor) there are three primary risk measurements you need: Relationship Risk, Business Profile Risk and the IT Control Risk.
Residual Risk = f((Relationship Risk + Business Profile Risk) – Mitigating Controls))
Figure 3
Understanding and mitigating the different types of relationship risk, business profile risk, and applying mitigation controls such as IT Controls allows the organization to determine the amount of residual risk.
Each type of risk has different elements and impact to the overall risk. Taking a deeper look at each of these will help develop a strategy for managing the residual risk and making sound management decisions on the right level of risk and investment for the organization.
Relationship Risk
The first step to evaluating the inherent risk of the relationship is looking at such things as the relationship scope (e.g. type of services, data/business processes exposed), nature of the service (e.g. strategic value), geographic location of services, contract protections, and other relationship risk factors. The amount of relationship risk provides intelligence for key stakeholders such as vendor management, corporate sourcing, relationship owners, and information security as to the inherent risk of the relationship. Once the inherent risk is understood it can be used in the decision process. If the relationship risk is beyond the risk tolerance of the corporation the risk factors can be used to determine the best steps to reduce the risk (e.g. change contract terms, change location of services, etc.).
Everyday example: If you own a home the amount of relationship risk (or inherent risk) is the value of your home and the contents within the home. If you have taken the additional step of calculating the market value of the home and contents you have measured the inherent risk. Now that you understand the total value of the home and contents and justifies spending additional money for insurance to protect your assets makes sense.
Business Profile Risk
To further understand the inherent risk it is important to look closer at the provider of the product or services. The business profile risks are risk factors such as the financial profile, and geographical risk characteristics, geopolitical risk, type of business, etc. For instance, if a business fails because of financial stress, it can have a serious impact on the delivery of their product or services.
Another prime example of business profile risk is when you are developing core intellectual property in a country that does not respect copyright law (geopolitical risk). This adds significantly to the risk of the project. Dependent on the amount of relationship risk, a disruption in the service of this vendor could have a material impact on overall revenues and profits of the organization. The Business Profile risk is combined with the Relationship Risk to give the business an overview of the total inherent risk.
Everyday example: Continuing the homeowner example, the location of your home may add more risk. One of the biggest risks to your home and the contents is fire. Fire can destroy the home, contents and valuables without any prior warning. When considering the risk to your home, living in a forest will add to the potential of having a risk of fire than a home in a barren area. While the threat of fire does not add to the value of the home, it does add to the overall risk.
Control Risk
To reduce the amount of defined risk (inherent risk and business risk) mitigating controls are applied. These controls can take many shapes and forms. Smoke alarms and sprinkler systems are traditional controls to lower the inherent risk of a home fire. In the information technology world, there are a number of generally accepted best practices and standards that are used to mitigate the risks of an IT system. There are three central themes to mitigating controls: prevention, detection and recovery. Preventive controls are those that prevent an information loss or security breach (e.g. Encryption is used to prevent unauthorized access to sensitive information). Detective controls are those that focus on detecting attempts to access sensitive information or information systems (e.g. Intrusion detection and data loss leakage technologies are used to detect intrusions or unauthorized access). Recovery controls are used to recover from a security event such as a breach in security resulting in access to sensitive information or information systems, or the failure of a critical system resulting in loss of services potentially impacting revenue for the corporation. All of these controls are intended to lower the probability of a loss from an information technology event.
Everyday example: Continuing the homeowner example removing the brush and other flammable materials adjacent to the home and installing sprinkler systems are used to prevent a fire from causing significant damage. Smoke alarms and burglar alarms are installed to detect a fire or unauthorized access to the home. Storing copies of important documents in a bank safety deposit box is an example of a recovery control. If a fire does destroy the original documents in the home they can be recovered from the home.
Residual Risk
Once the level of inherent risk and business profile risk is quantified, and the effectiveness of the mitigating controls is estimated then the residual risk can be understood. Even after the best preventive, detective and recovery controls are implemented to fullest extent, not all losses can be prevented. In most businesses, some control weakness exists due to budget or technology constraints (e.g. not all sensitive data is encrypted). Depending on the amount of residual risk, an enterprise may determine the best course of action is to find a different or additional supplier to counter a high level of residual risk.
Everyday example: Continuing with the homeowner example even after installing locks, smoke detectors, burglar alarms, etc most home owners purchase home insurance to mitigate the impacts of the potential losses due to a fire or robbery. Similar to the homeowner, the executive for managing information risk may choose to buy cyber insurance to mitigate the risk of a loss due to a security breach or failure in key information technology services.
Summary
There are three key aspects of managing the risk of vendors: relationship risk, business profile risk and control risk. The relationship risk is the inherent value of the relationship as measured by revenue, regulatory, critical business process, etc. Business profile risks are those additional risks of the relationship due to outsourcing the activity to a specific business best illustrated by credit or financial risk of the provider, geopolitical risk factors and even fraud activities. Control risks are mitigating factors that are used to reduce the amount of inherent risk and/or business profile risks. Because perfect implementation of controls is not realistic there are residual risks associated with the effectiveness of the mitigating controls that have been implemented.
The key to effective risk management is not to attempt to eliminate all risk. The cost of total risk elimination would be too great for any organization. Finding the appropriate balance of risk for the organization depends upon the understanding the relationship of the three aspects of risk (relationship, business profile, and control risk). By measuring each type of risk, organizations are able to make informed business decisions to manage the residual risk.
In Part II of this series will look closer at defining risk to get a common understand of the term and how it impacts the organization. Elements of risk; loss magnitude including asset loss, external loss, and the variables that impact the loss magnitude, loss frequency including proximity, control strength, threat agent capability, and the action the threat agent is willing to take. A closer look at the trends in risk management processes maturity from Level I through Level IV maturity. The higher level of maturity an organization is able to achieve the more cost effective the risk management process.
See how risk authorities measure the risk before managing the risk
Download our Solution Brief | Enterprise Supplier Exposure - Measure the Risk Before you Manage It. Evantix quantifies the inherent business risk across your supplier population for detailed risk analysis and measurable focused risk management actions. This “Exposure Assessment leverages Evantix’s state-of-the-art risk and compliance scoring analytics technology that takes your existing supplier related information (e.g. vendor/contract database, ERP system) and quantifies its relative risk based on industry standards and categories like brand, customer, data, financial, regulatory and operations impact. Call us at (949) 614-7075 or a visit www.evantix.com.
About the Author: James Christiansen is a global risk authority in information security and in addition to his current role as CEO at Evantix, James has held senior executive positions for some the world’s largest companies. As the first Information Security Officer at Visa, he created and implemented Visa’s global information security program. At General Motors, he held the position of Chief Information Security Officer (CISO) where he was responsible for global information security operations across all business unites. In his role as CISO at Experian Americas, he led vendor reviews and several high profile merger & acquisition assessments.
Okay, you've got the go-ahead to do a limited trial of an automated third-party risk assessment, leveraging a tool. Your stated objective is to get two strategic vendors up on the software to reduce the cost of annual audits of these vendors. But wait a second, don't miss your opportunities to really leverage your investment in ways much closer to home.
Traditionally, information security functions have grown up within IT. Even though many of the functions of information security such as network security and even access control may stay within IT, the problem of measuring risk posture across the organization is getting more difficult for several reasons:
• New regulatory and standards definitions are driving to a more detailed, implementation-aware format;
• Organizations throughout the enterprise are gradually becoming more aware of information security but are "doing it themselves" which produces gaps and overlaps and an overall dispersion in direct accountability for information security which can detract from the attainment of overall risk objectives.
Consider treating your own organization as a "strategic vendor" for the purposes of developing a set of quantitative measures and focusing on the artifacts necessary to signify those measures. Take access control for example. Can your staff responsible for access control, produce clear policies governing how they handle access control requests, examples of properly approved requests, as well as reports of ongoing reviews of appropriate access controls as required by best practices? How about metrics concerning access control? Does the access control department maintain metrics for their handling of routine or exception access control requests broken down by platform, major department or division, etc.? Using an automated third-party assessment tool, such questions could be delegated to your access control staff and the artifacts of compliance with best practices could be automatically entered by your staff or others on a decentralized basis and preserved for a point in time report on the effectiveness of your access control function.
Take business continuity planning as another example. Tracing from impact statements through to detailed inventories mapped against physical location, tabletop tests of recovery plans, and formal review of off-site recovery drills, one can gain a complete understanding of the readiness of the organization to recover after a disaster of any magnitude based on the ability to identify and preserve artifacts that clearly point to the effectiveness of these processes within the organization. Again, those responsible for BCP can use the third-party assessment system to securely and asynchronously place the artifacts of their work in a repository that enables a holistic view of information security across the enterprise. This holistic view can be as quantitative as it needs to be. For example an organization operating at CMM level III may be expected to have well-defined metrics for their function and a clear time series for those metrics which shows the success progression over multiple time periods. A CMM level one organization, on the other hand, would not be expected to show as much repeatability in its operations and very likely might not have any year-over-year metrics yet in place.
While your business case for third-party risk assessment correctly focuses on the strategic importance, out-of-pocket savings, and relationship enhancement that occur when an effective tool is used with external parties for risk assessment, oftentimes important benefits are left out of the business case. Just as the cobbler's children sometimes lacked shoes, the work of demonstrating best practices within information security is often relegated to a "when we can get to it" level of importance on the project list. Use your new third-party assessment tool to strengthen internal processes as well as to fulfill the external business case. Who knows? Next year a vendor may ask you "how do you do risk assessment internally?" If you can demonstrate a process supported by an excellent third-party risk assessment tool, you'll be well on your way toward building a secure, high-quality third-party relationship.
According to the Verizon Cybertrust 2010 Data Breach Investigations Report, 70 percent of IT security breaches investigated by Verizon occurred from external agents.
This is an eye-opening statistic because most companies use external agents or vendors to handle sensitive tasks like payroll, transaction processing and business processing. This report highlights the risk of data loss and exposure that companies face when they place their confidential information in the hands of external service providers.
What's the inherent risk that your business could become part of this troubling statistic? Do you know how well your service providers are protecting your data? Do you have a handle on the level of risk exposure across your whole supplier portfolio?
How can you calculate inherent risk in your supply chain?
There are ways to calculate and understand the inherent risks you have to potential security breaches from external agents. Evaluating inherent risk requires companies to take the following three steps:
1. Identify third party relationships and services
First identify what type of third party relationships your business is engaged in, including supplier-vendor relationships, agent-broker relationships or business partnerships like marketing co-development or resale. Within each type of relationship call out all of the business processes and services that are being outsourced. Pay attention to processes involving information technology, HR, financial services, customer support services (e.g. call centers) and product development as these processes are especially vulnerable.
2. List the information that could be exposed
For each type of relationship and service provided, list the specific information, data or corporate assets that are being exchanged or exposed to your third parties. Highlight data regulated under U.S. and international privacy laws, such as Social Security Numbers, health care information and consumer financial or credit card information. Also note any potentially compromising corporate assets such as financial data or intellectual property.
3. Determine strategic, geographic and contract exposure
Finally, look at the exposure your company faces with respect to its relationships with third party vendors. To determine strategic exposure, ask yourself, if the vendor went out of business, what would the impact to your company be? How long would it take to replace that supplier? It's also important to understand the different risk profiles for companies based on their country and location. Finally, analyze the contracts you have in place, or are negotiating, with vendors. Are there specific requirements for vendors to protect your data? Do you have the ability to audit these companies? Can you assess the vendor’s IT controls as part of the negotiation? These are all questions that will help to further determine exposure.
It can challenging for some organizations to share this knowledge about your vendors gathered from all of the areas mentioned above, since this information tends to be housed in separate silos or departments. Yet understanding inherent risk exposure is imperative to effectively combat against the increase in data breaches involving external vendors .
To stay ahead of the growing trend of external security breaches, you must continue to monotor risk exposure as your business processes and relationships with third-party vendors evolve and your dependency increases.
What is your company's strategy for understanding and monitoring security risks? How will the findings from the Verizon Cybertrust report affect your future safeguards?
About the Author: Chris Bell is a founder and VP of Product Management at Evantix, who provides an on-demand risk management solution that helps companies assess, manage, and monitor risk across their complex business relationships. He builds innovative risk management solutions for the market and advises companies about how to improve their programs. You can read more from Chris on the Evantix blog.
Find out how risk reporting software can help you manage supplier risk.
|
In this educational personal webinar, you’ll learn how Evantix’s risk intelligence solution creates a credit bureau for your vendors enabling you to make intelligence decisions about your business risk. Register for your personal webinar today. |
The incorporation of legal and regulatory compliance requirements into technology risk assessments, although a relatively new development, is becoming more pervasive in a greater number of industries.
This is a reflection of the increasing attention that legislators have placed on regulating the collection, disclosure, use, protection, retention, and destruction of information.
I believe that compliance risk assessments will change in five fundamental ways over the next few years:
1. The scope of compliance risk assessments will expand to support increased regulatory requirements and government scrutiny. The sheer number of legal and regulatory requirements will continue to grow. This is especially true in the financial services and healthcare industries. Tracking changes to legal and regulatory requirements, assessing the impact of these changes on the organization, and updating compliance risk registers will become an ever-increasing burden on companies already strapped with limited resources. The kicker is that these activities are a ‘must do’ and don’t contribute to corporate revenue streams.
2. The “checklist approach” for performing compliance risk assessments will not survive. As we saw with the promulgation of PCAOB Accounting Standard 5 in relation to Sarbanes-Oxley § 404, the standards used to measure compliance will continue to evolve from a “one-size fits all” model to become more risk based. This means that compliance risk assessments based on static checklists will become less and less useful and may even be harmful by not putting responses in a risk context.
3. Compliance risk management will continue to develop as a distinct specialization. As risks related to compliance with legal and regulatory requirements become a proportionally greater portion of a company’s overall risk portfolio, the need for expertise in the technology compliance space will increase. Although compliance risk management as a specialization is currently in its infancy, it is likely to gain greater recognition as a standalone profession in the future.
4. The compliance risk assessment activity will evolve into a continuous almost dynamic process. Many companies currently perform compliance risk assessments once a year. The compliance risk register is then “shelved” and is not revisited until the following year. Because the pace of lawmaking is accelerating and the impact of these laws is increasing, leading companies will recognize the need to continually re-assess compliance risks on an ongoing basis.
5. Compliance risk assessments will incorporate more third party risks. Risk managers often fail to incorporate the legal and regulatory risks created by vendors and outsourcers within their compliance risk assessments. This is a significant error. Although companies can outsource services, they cannot outsource their responsibilities to comply with the law. This lesson was recently learned by companies that provided services to HIPAA covered healthcare entities. With the recently enacted HITECH Act, these service providers are now subject to the same rules as the companies they served.
Although these developments will increase the prominence of compliance risk elicitation, analysis, and management, it is important to remember that legal and regulatory compliance risks are, and will continue to be, only one category of the many types of risks that should to be managed in a comprehensive enterprise risk management program.
An over-emphasis on managing this category of risks may result in a company being fully compliant with the law but operating with reckless disregard to other types of risk. That being said, the future looks bright for those who understand the ever increasing level of intersection between technology and the law.
Learn how risk assessments can streamline vendor compliance and score vendor risk.
The business case for vendor risk management can be summed up in two words: do it. That's because vendor risk management is really not an option any more, it's a requirement for doing business. Because of this imperative, many companies focus on vendor risk management as something to be done as cheaply as possible
This is like doing recruiting as cheaply as possible, or doing accounting as cheaply as possible. The unspoken corollary is “Cut corners if you need to.
This negative approach to
vendor risk management can be very detrimental to relationships with vendors and customers and can detract from a company's ability to meet regulatory responsibilities.
In vendor risk management, there are other factors aside from cost that businesses can optimize and be proactive about. Instead of trotting that tired old excel spreadsheet out once per year, build quality into the vendor risk management function. Here are three benefits of adopting a proactive vendor risk management process:
1. Stay ahead of the regulatory curveCompanies can use vendor risk management as an opportunity to stay ahead of changes in
industry regulations. In most industries, regulations become more and more stringent with each new update, they don’t get easier. For example, PCI will soon finalize its 2.0 PCI-DSS standard, and companies are already scrambling to update their systems and controls to comply with the more stringent security measures. Companies who proactively manage their vendor risk can stay ahead of regulatory updates like these. Companies that take a reactive approach will be pressed to spend extra time and money on hasty solutions, and may miss strategic opportunities as a result.
2. Leverage risk to create more effective contract terms
Traditionally, contracts with a third party vendor that involve sensitive or confidential data or information will include the following two contract terms: 1) Vendor shall keep all of the information secure, and 2) Customer has the right to review the vendor's security. These terms have been in contracts for decades, yet breaches continue to occur because all too often neither party understands the specific implications of the terms. The who, what, where, when and why are all missing from such contract terms.
Businesses should leverage risk up front to build contracts that specify certain controls. Contract terms can indicate when reviews will take place and even set up contingency reviews under certain conditions. For example, a contract might specify that if there is a breach in the vendor's system, the customer will be notified within 30 days. This also gives companies the ability to build contract terms, which apply more rigorous monitoring and controls to risky processes and sensitive data sets. Perhaps most importantly, there is no better way to communicate the importance of information security than through the contracting process. And when vendors adjust their operations and systems to comply – or even lead – proactive vendor risk management is a great way to recognize this and elevate the relationship.
3. Improve vendor relationshipsBroaching a proactive approach to risk management during contract negotiation can improve your company's relationship with a vendor. Taking a proactive
risk management approach means you'll be working with the vendor to mitigate risks. A proactive approach builds on setting up specific contract terms by providing reporting, tracking the vendor commitments to mitigate controls and documenting the results. A proactive stance will save the vendor time and money in the long run, making you a more valued client. It is also likely that the vendor has many other clients with security needs similar to yours.The vendor can then build security into its product value proposition, by passing on the efficiencies and savings achieved through your agreement, to other customers. I’ve seen many examples where a vendor – after a breach and resultant operations changes to improve security – has redone their marketing materials to highlight their commitment to security.
These benefits build a compelling business-case to leave the reactive, bare-minimum approach to vendor risk management behind. Companies who opt for a proactive approach to vendor risk management, will effectively mitigate risks and gain a more efficient and rewarding client-vendor relationship. The real business case for proactive vendor risk management should be: do it, and do it well.
About the Author: James M. Anderson is President of Professional Assurance, LLC, an advanced enterprise security consultancy. Over his 30-year career, he has served as Vice President, Global Information Security Services for Visa, head of the information security unit of Morgan Stanley and as Director of Security and Information Services at Lexis-Nexis, Inc. He holds the CISSP, CISM and CGEIT certifications. You can follow his writing on the Evantix blog or connect with him on LinkedIn.
Learn how risk assessments can streamline vendor compliance and score vendor risk.
In vendor risk management, the annual audit cycle is quickly becoming obsolete. Both regulators and clients continue to push for more timely and relevant data requests.
Vendor risk management is moving toward on-demand reporting, which allows companies to call up the latest risk data and format it in the most relevant way to meet client and regulatory requests.
Whether you conduct risk management in-house or work with a third party vendor, there is a need to upgrade to an on-demand reporting solution. Below are four examples of how on-demand reporting can help businesses to stay leading-edge and offer their customers the best service:
1. Efficiently meet data requestsThe reality in today's business world is that demand for data can come at any time. You do not want to be stuck providing outdated information, or asking vendors for reports that are outside of your contract terms. What if a client wants to see the current details of your vendor risk management solution before signing a contract with you? In order to get their business, you'll need to supply current data fast. If you have an annual audit cycle, you may be stuck with data from the first quarter of 2009, because the report for the 2010 audit is still being written. On-demand reporting eliminates this time delay and allows you to share up-to-the minute data that's not locked into an annual or even quarterly reporting cycle. This also helps you to quickly analyze and update controls in response to evolving industry regulations.
2. Provide targeted formattingOn-demand reporting allows you to respond to specific requests and formats. When requests come in for information detailing vendor risk, even within the same industry, they are often going to be formatted in different ways. While you may have a timely PCI report ready, you may not have information that's formatted in a way that maps across the same data set included in a BITS* report. An on-demand system can very quickly build a new report to bridge this format gap and meet a client's needs.
3. Build a scalable solutionOn-demand systems also make vendor risk reporting a scalable service that's easy to adapt across new industries. Let's say you primarily serve pharmaceutical clients and have never before worked with a healthcare client. You can leverage an on-demand system to provide data for a new prospective health care client in
compliance with HIPAA requirements. It is also easier to build new reports without working from the ground up. From existing controls, you can map a subset of controls for a new type of request. This allows you to build on existing controls to build a new report quickly and to focus on the difference that you haven't measured yet.
4. Reduce time and costsIf you make a request for information outside of the annual audit reporting cycle, this request may not be covered under the terms of your contract. A vendor may deny the request and ask you to pay out of pocket or wait until next year for this crucial data. Like most business-to-business software solutions, on-demand vendor
risk reporting software uses a simple back-end interface. This takes the added costs, mystery and waiting out of new vendor risk reporting formats. You no longer have to rely on annual or quarterly reports or put in a ticket with your provider and wait weeks for results. On-demand means the data is there and it's as simple as you or your vendor putting in a query, pushing a button and getting the data out.
It is becoming critical for companies to gather risk reporting data and develop reports according to specific frameworks and on a very timely and responsive basis. On-demand risk reporting software is very much in keeping with the accelerated pace of contracting and using third parties to meet information needs. It can be the difference between “just in time” and “not quite In time” reporting.
* BITS is a division of the Financial Services Roundtable. “BITS” originally stood for “Banking Information Technology Secretariat” but is no longer used as an acronym. BITS maintains an extensive library of security requirements for use in financial services organizations and applications.
About the Author: James M. Anderson is President of Professional Assurance, LLC, an advanced enterprise security consultancy. Over his 30-year career, he has served as Vice President, Global Information Security Services for Visa, head of the information security unit of Morgan Stanley and as Director of Security and Information Services at Lexis-Nexis, Inc. He holds the CISSP, CISM and CGEIT certifications. You can follow his writing on the Evantix blog or connect with him on LinkedIn.
Find out how risk reporting software can help improve your business.
|
In this educational personal webinar, you’ll learn how Evantix’s risk intelligence solution creates a credit bureau for your vendors enabling you to make intelligence decisions about your business risk. Register for your personal webinar today. |
Risk management is something to be taken very seriously. There's nothing more potentially harmful to a company's reputation and bottom line, than a technology security breach.
However, many companies out there are over-managing risk exposure or using complicated and expensive solutions to mitigate risks, when there are
much simpler solutions available. To more efficiently manage risk, let's go back to basics and take a look at five simple (and often overlooked) ways to minimize risk exposure:
1. Stop looking for a silver bulletRemember that a “control” is not the same thing as a “security product.” Despite what the salesman may say, a shiny new technology solution is not a “silver bullet” to reducing every conceivable risk. Changes to an existing process or the implementation of a simple procedure are often all that is required to reduce risk to an acceptable level.
2. Don’t forget risk acceptance Many times further risk mitigation simply does not make financial sense. When the potential loss resulting from a risk is less than the cost of implementing a risk mitigating control, get senior management to
accept the risk and move on to more unacceptable risks. That said, don’t forget to monetize the potential cost of reputational damage or loss of public or regulatory goodwill in your calculations.
3. Use risk to enable business development You don’t need to eliminate all risk. Sometimes technology risk management professionals forget that businesses must take some risks to succeed. Launching innovative new products can be risky. Just be sure your organization understands the risks and keeps them at an acceptable level. As long as risk is at or below the organization’s tolerance level, stop, or you'll mitigate your way to a decrease in revenue!
4. Consider risk transferenceShifting risk elsewhere is a relatively painless, but oft forgotten method. Risk can be transferred to a third party through a legal agreement or an insurance policy. Today most commercial property and casualty policies come with a built-in cyber-insurance policy or rider. Be sure you are aware of any such coverage and factor that into your
risk assessment. Instead of adding new controls, it may be more cost-effective to allow a contract or insurance policy to cover losses.
5. Improve existing controls before deploying new onesTechnology risk management professionals often start down the road of proposing the implementation of new controls without examining the effectiveness of existing ones. Often existing controls can be upgraded or shored up enough to reduce risk to an acceptable level without undertaking a costly new deployment.
Bring these five basic solutions to the table during a risk assessment to save your company valuable time and resources.
What other systems do you have in place to minimize risk exposure?
About the Author: Bradley J. Schaufenbuel, CISSP, CRISC, is Senior Vice President and Chief Information Security & Privacy Officer at Midwest Bank – Now Part of FirstMerit Bank, N.A. He is a regular speaker at industry conferences and has authored numerous books and professional journal articles on topics related to information security and I.T. risk management.
Learn how risk assessments can streamline vendor compliance and score vendor risk.
As more and more transactions and business processes move online, managing technology risk has become a key component to business success.
For industry leaders who want to improve their technology risk management, the banking industry is a good model to learn from. Risk management is more mature in banking than it is in other industries.
What motivates banks to use such advanced risk management techniques? Let's take a look at some of the factors that make banking so risk-oriented:
- Banks have been managing credit risk since the Middle Ages and have enterprise risk management expertise built into the foundations of their organizations.
- Banking is more highly regulated than other industries and must demonstrate truly effective management of risks to bank examiners.
- Banks handle extremely sensitive personal financial information and customers expect a high level of security.
- Today banks are completely dependent on technology and must manage technology availability risk, as well as have back up plans and redundancies in place to resume business as quickly as possible.
- What banks sell to customers is security and trust. Managing reputational risk is integral, as a loss of reputation can be a deathblow in the banking industry.
- Failure is simply not an option for banks. The customers, shareholders, and regulators of banks have zero tolerance for unmanaged risk.
Now that we've covered the reasons for banking's strong risk management programs, we can delve into some of the industry's best practices that contribute to successful risk management. Here' are five takeaways about risk management in the banking industry, which leaders in other industries can learn from:
1. Treat risk management as a continuous process
Among industry leading banks, technology risk management is a continuous process. It is not an exercise that is performed once a year and then shelved. Risk is constantly monitored, measured, and acted upon, because banks know that vulnerabilities change and new threats evolve. If leaders in other industries began to view technology risk management as an ongoing activity rather and an annual chore, they would realize more benefit from it.
2. Integrate risk analysis into product development
Banks integrate risk management is into the technology service life cycle. Risks are analyzed in the development stage and risk mitigating controls are built in into products and services from their inception. If leaders in other industries managed risk proactively instead of reactively, they would save the time, effort and money expended on future risk mitigation.
3. Take a customer-centric approach to risk
In banking, the customer is a primary stakeholder of technology risk management. Because customer trust is so critical to its business, banks look at their own potential losses as well as potential losses for customers. If leaders in other industries utilized a customer-centric risk management approach, they could engender a similar level of customer trust.
4. Embrace positive risk
Just because a new product or service is risky, that does not mean a company should shy away from it. Industry leading banks are not afraid to take risks. One example is Chase Bank's new Quick Deposit product. Chase was not afraid to roll out this new feature and most likely analyzed the level of risk during product development, to be sure it was at an acceptable level. By embracing an acceptable level of risk, they were first to market with a new solution that has been wildly successful.
5. Support a culture of risk management
Bank executives give risk management leaders a seat at the executive table, provide them with the support they need and incorporate their suggestions into business decision making. If leaders in other industries committed the resources and talent necessary to build an in-house culture of risk management, they would likely see a positive return on investment from effective technology risk management.
As you can see from these banking industry best practices, it pays to be proactive, rather than reactive about risk management. If leaders in other industries really take the time to build risk management into existing businesses processes, they'll have the technology risk infrastructure in place to lead in product development and customer service.
How might some of the banking industry's best practices inform your risk management policies?
About the Author: Bradley J. Schaufenbuel, CISSP, CRISC, is Senior Vice President and Chief Information Security & Privacy Officer at Midwest Bank – Now Part of FirstMerit Bank, N.A. He is a regular speaker at industry conferences and has authored numerous books and professional journal articles on topics related to information security and I.T. risk management.
Learn more about critical steps to safeguard your business relationships from risk.
We are all familiar with the main benefits of standardized home appraisals– predictable pricing, comparability, efficient transactions and grounds for legal recourse.
Can you imagine what the housing and mortgage markets would be like, if there was no standard way to appraise homes?
Well, home appraisals were not always standardized and the old system of proprietary appraisals made buying a home much more costly, chaotic and difficult to pursue.
Adopting systems of shared assessments has worked for the housing and consumer credit industries, among others, so why not adopt shared standards in the IT security industry?
While there are a handful of shared IT assessment programs out there today, the majority of IT assessments are currently done on a proprietary one-off basis, which disadvantages companies and vendors.
The market needs to adopt a shared IT assessment framework. Let's take a look at some of the main benefits below:
1. Increased transparency
Without shared standards, there are many different methods or approaches to conducting IT assessments. When companies look at the end results, they do not know exactly what controls were evaluated how they were tested in order to produce those results. With shared assessments, both companies and vendors would know exactly which controls were evaluated and the processes used to test them.
2. A basis for recourse
With shared assessments, companies would have a clear and shared understanding or agreement as to which controls were in place and when. A standard for evaluating IT systems, that stated outright the system's security measures, would provide grounds for recourse in future negotiations or if a breach or other attack occurred.
3. More streamlined vendor selection
If every vendor conducted testing in the same way, there would be more consistency across vendors. This would enable companies to search for a vendor more efficiently, trust the assessment results, compare vendors, and even trend to see who's improving and who's not improving. Without a standard system for assessments, results are non-comparable, costs are higher and vendor selection takes much longer.
The absence of IT assessment standards is a shared problem that hurts buyers and suppliers. This shared problem demands a shared solution, which will drive down costs and increase quality, transparency and recourse.
I truly believe the market is being driven toward the use of a shared IT assessments. When do you think shared assessment will become the norm?
Photo credit: Britta Boehlinger
About the Author: Chris Bell is a founder and VP of Product Management at Evantix, who provides an on-demand risk management solution that helps companies assess, manage, and monitor risk across their complex business relationships. He builds innovative risk management solutions for the market and advises companies about how to improve their programs. You can read more from Chris on the Evantix blog.
How can you cost-effectively apply a risk assessment template to thousands of suppliers?
|
In this educational personal webinar, you’ll learn how Evantix’s risk intelligence solution creates a credit bureau for your vendors enabling you to make intelligence decisions about your business risk. Register for your personal webinar today. |
The pace and level of outsourcing, although slowed in the past few years, continues to grow with almost no business processes left untouched. Outsourcing decisions often occur under the radar with limited risk management oversight. In addition, it is quite common to perform a
risk assessment after a contract has been signed leaving a company with very little leverage to address critical audit findings. In an ideal world, risk assessments should be performed before the contracts are signed so that the requirement to correct critical findings makes its way into the contract between the parties.
These relationships also tend to evolve rapidly from a risk perspective as the scope and location of services changes to accommodate business needs. The risk assessment templates traditionally used to manage this risk simply cannot keep pace or produce any type of actionable output for the business. Furthermore, these risk assessment templates typically require the active participation of a professional “risk manager” which is a scarce resource in most businesses if they have one at all!
What’s the solution? Use a risk assessment template written in business terms that:
- Is integrated into the business process for “business buyers” to execute
- Informs the buyer of the risks their purchase presents and
- Gives them clear guidance as to what they MUST do to manage this risk
In constructing this business driven risk assessment template here is a general five step approach to help you get started:
Step 1- Policy
Develop and communicate a policy that requires all vendor relationships of a certain nature (e.g. involve sharing of information or outsourcing certain business processes) be registered and a risk assessment performed by the relationship owner prior to approval or renewal.
Step 2- Questions
Develop the universe of risk factors (e.g. information exposure, compliance exposure, strategic value) you want to manage and translate them in the form of questions the business relationship owner can understand. For example, risk of compliance to the Payment Card Industry (PCI) for protecting card holder data is translated as “Are you sharing credit card data with the vendor?” as opposed to “Does the relationship require compliance with PCI?”.
Step 3- Score
Score the questions and answers relative to each other from a risk perspective so that the results can be
- Compared against other relationships to give you a portfolio view
- Tracked over time as the scope of the relationship changes and
- Aggregated with the total population of relationships for portfolio analysis
Step 4- Guidance
Based on specific results of individual questions and the overall score develop a set of required actions or guidance the business owner must take (e.g. assess/confirm the vendor’s compliance with PCI).
Step 5- Integrate
Look at the touch points within your business environment where buyers must interface (e.g. procurement and legal) and integrate the risk assessment template and supporting process for best results at those points.
Remember, the Business Driven Vendor Risk Assessment Template is all about integrating risk management into the outsourcing/procurement process by giving the relationship owners the tools and guidance to act as front line risk managers.
Photo Credit: mrbill
About the Author: Chris Bell is a founder and VP of Product Management at Evantix, who provides an on-demand risk management solution that helps companies assess, manage, and monitor risk across their complex business relationships. He builds innovative risk management solutions for the market and advises companies about how to improve their programs. You can read more from Chris on the Evantix blog.
How can you cost-effectively apply a risk assessment template to thousands of suppliers?
|
In this educational personal webinar, you’ll learn how Evantix’s risk intelligence solution creates a credit bureau for your vendors enabling you to make intelligence decisions about your business risk. Register for your personal webinar today. |