Is it Worth the Risk?

Managing Risks

Risk Management is crucial to the success of every company. If an organization fails to take risks – they will not be able to thrive in this competitive market. However, when a company ignores managing those risks that they can succumb to failure. Information technology systems play a large role in most organizations – a company has to properly manage their IT risks if they want to continue to do well.  Once you assess your risks and determine ways to control those risks – you should then examine the trade-offs between costs and benefits related to every control option. One way to accomplish this is through a Cost Benefit analysis (CBA).

Cost Benefit Analysis

A CBA compares the business impact with the cost to implement a control. For example, the loss of data on a fi le server may represent the loss of $1 million worth of company information. Implementing a backup plan to ensure the availability of the data may cost $10,000. In other words, you would spend $10,000 to save $1 million. This makes sense. A CBA starts by gathering data to identify the costs of the controls and benefits gained if they are implemented.

·         Cost of the control—Purchase costs plus the operational costs over the lifetime of the control.

·         Projected benefits —Potential benefits gained from implementing the control. You identify these benefits by examining the costs of the loss and how much the loss will be reduced if the control is implemented. A control doesn’t always eliminate the loss, it may only reduce the risk.

The following equation can be used to determine the CBA:

CBA = (Annualized Loss Expectancy) Loss before control  * (Annualized Loss Expectancy) loss after control - annual cost of the risk safeguard

Here is a nice video tutorial that illustrates the cost benefit analysis concept:

 

Is it Worth it?

If the costs outweigh the benefits, the control may not be worth implementing. Instead, the risk could be accepted, transferred or avoided. The cost benefit process will help to:

·         Determine the cost of protecting an asset

·         Define the economic loss if the asset remained unprotected

·         Prioritize actions and spending on security

A company should not spend more to protect an asset than the asset is worth!

Here are some useful links to help in deciphering the various costing methods:
Simple Risk Analysis
FFIEC
The Society of Information Risk Analysts

IT can be a RISKY Business!

Risk Management

Risk management is an important activity for a business. Identifying risks, assessing the impact of the risk, and making the right financial decision about how to deal with the results of a risk – are crucial areas that need to be addressed. In addition, programs that continually measure and assess the effectiveness of your company's current safeguards – are vital to the risk management process. Managing risk is continuous – it's not a one-time project!

What is a Risk?

It's probably best to define a Risk by the following formula: 

Risk = Threats x Vulnerabilities x Impact

Threat: Any potential danger to information or an information system.
Vulnerability: An information system weakness that could be exploited.

Impact: Asset value - what you are trying to protect

Develop a Risk Management Assessment Plan

Developing an effective Risk Management Plan is an important part of any project, but unfortunately, is often viewed as something that can be dealt with later. However, without a plan even small emergencies can get out of hand. Here is a flowchart depicting steps that can be taken to create a sustainable plan for Risk Assessment.

"Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted"  

~Albert Einstein~

Here are some more sites that I found useful when researching this subject:

The Internal Auditor

ISACA

TechRepublic

ISO 27K What?

What is ISO 27000....

 

 

With the growth of the internet and the explosive emergence of mobile technology, managing information security has become even more vital and should encompass all aspects of an organization's operations. As a consumer, we would like to be certain our information is being protected by an organization. For instance, if you use a website - you want to be assured that the information you provide is safe from internal or external threats.

One way to accomplish this is by utilizing the ISO 27000 series of security standards. The ISO 27000 series originated from the British Standard 7799. It is comprised of information security standards published together by the International Organization for Standardization (ISO) and the International Electro-technical Commission (IEC). It is an optional qualification for organizations to show that they meet a certain level of information security development.

The series is designed to cover more than just privacy, confidentiality and technical security issues - it also focuses on all business processes and business assets. Currently the ISO 27000 series contains six publically available parts – each dealing with a different area of IS Security Management. However, there are several more being developed.

 

Plan - Do - Check - Act

 



The ISO 27000 series utilizes the Plan-Do-Check-Act model in its procedures. Just like a circle has no end, the PDCA cycle should be repeated again and again for continuous improvement.

 

If you would like to find out more about the ISO 27000 series please follow these links:

ISO 27000 Security
ISO Standards

 

Security Starts With You!

 

How many of us have written little password reminders on sticky notes? Working in an office environment  - I have seen quite a few screens covered in these notes. This type of issue should be dealt with in a simple security training course offered by all organizations. With all of the advances in technology - now it is even more important to address the need for strict security controls and raise awarenes for security protection.

Security Training is a Wise Investment

The current economic climate is forcing companies to choose which programs they need to discontinue. While it might seem like an area where a company can save a few dollars - Security Training should not be where an organization withdraws their support from. Employee and contractor behavior is the primary source of costly data breaches. It's also the best way to prevent loss.

Security Awareness Isn't Just a Good Idea, It's the Law

Besides being good company practice, raising security awareness is not just a great idea. There are also laws that require companies to provide training in this area.

Some Laws requiring security and privacy awareness or training programs apply to:

• The Federal Government (Federal Information System Security Managers' Act)
• The health care industry (Health Insurance Portability and Accountability Act)
• Financial institutions (Gramm-Leach-Bliley Act and Sarbanes-Oxley Act)
• Publicly-traded companies (Sarbanes-Oxley Act) 

Inexpensive Tools to Get You Started

Here are some inexpensive ways you can raise security awareness in your organization:

• Posters
• Free On-line training courses
• Company meetings
• Government pamphlets
• YouTube Videos offer another free source

Remember - security is only as strong as your weakest link. Help prevent these types of issues by being proactive in raising your company's security awareness.

This is a great YouTube video I found showing an actual product that is being sold called the Password Reminder. It was featured on the Ellen show:

Some links for more information:
InfoSec Institute
Sophos - Security Do's and Dont's
Security Breach Examples