Cyber risk management
Information has become organisations most important and valuable asset, hence, demanding to be protected and secured appropriately. Protecting information means managing risk of securing the information in a balanced way.
News in regards to security breaches at major companies and governments due to cybersecurity attacks hit the headlines on a regular basis and most organisations have some form of governance to help them achieve their information security objectives. However, due to rapid change in type of attacks and innovative way of breaching a company’s information security measures, the governance model for information security have to make sure to one step ahead of the attackers. In the end, it is up to management to ensure that processes and procedures enable the appropriately level of security over the information of the company.
How does one go about securing an IT environment?
For most companies, this is a daunting task, especially when the required expertise is not available in-house.
A number of standards are available that can help secure the businesses’ IT and information assets. One such standard is ISO 27001, which is well-known for providing requirements for an Information Security Management System (ISMS). An ISMS is a systematic approach to managing sensitive company information so that it remains secure. The standards can be implemented in both small and large businesses in any industry sector.
What would implementation entail and what are its benefits?
To answer the first part of the question, when implementing a framework based upon a standard such as ISO 27001, one has to keep in mind that this has to be treated similarly to any other major IT project. There is no easy fast-track solutions to implementing the information security framework based upon the ISO standard. The key points are:
1. Ensuring management support
it is very important that management supports the project. Without this support, implementing the standard (or any standard for that matter) would be doomed from the start. Management commitment should ensure that there are enough resources available to manage, develop, maintain and implement the ISMS.
2. Defining the scope
Like any other project, one must define the scope and consider whether the whole or part of the organisation should be covered. The scope should be kept manageable to avoid increasing the project risk.
3. Defining and performing Risk Assessment
This is the most crucial stage of the project. It is important to choose a risk assessment method to help identify the vulnerabilities and threats that may have an impact on the specific business, and to define the acceptable level of risk. If these are not clearly defined from the beginning, the resulting processes will also be incorrect. The focus is to be able to get a comprehensive picture of the risks facing the security of the organisation’s information.
4. Processing the Risk Treatment
The purpose is to treat the risks identified to an acceptable level. There are four main ways in which this can be done:
- Apply the security controls of ISO 27001/2
- Transfer the risk to another party (ex. Insurance company)
- Stop the activity (avoiding) entirely
- Accept the risk, especially if the cost to mitigate the risk is much higher than the loss of the risk itself.
5. Applying the Statement of Applicability
As part of ISO 27001 you will need to have a Statement of Applicability which provides a list of 114 controls which the company needs to assess and determine:
- Whether these controls are applicable to the business of if any other controls needs to be put in place
- In each case the reasons as to why they are applicable
- The control objectives to be achieved.
6. Documenting the Risk Treatment Plan
The purpose of the Risk Treatment Plan is to take each of the applicable controls identified in the Statement of Applicability and define how they are to be implemented. This includes identifying the control owner and the frequency of the control and a description of the implementation method.
7. Implementing the controls
This is the part where the applicable controls have to be implemented. In this step, it is important to first define how to measure the effectiveness of the controls. This would include defining the measurement of the fulfilment of the control objectives. Implementing new controls, would mean implementing new technologies and behaviours in the organisation. It is often the case that resistance to change by the individuals responsible for the control is likely and this is why the next point is crucial for the successfulness of the ISMS.
8. Implementing training and awareness programs
Employees need to be aware of the new policies and procedures to be implemented. Training and awareness programs should be given periodically to employees so they are aware of the risks of non-compliance. There is no technology that can prevent someone not paying attention for a sophisticated social engineering attack. Hence the necessity to have proper awareness is of utmost importance.
9. Monitoring the implementation of the ISMS
The ISO 27001 standard follows a Plan-Do-Check-Act (PDCA) cycle. In order for the ISMS implementation to be effective, it needs to be reviewed by management as part of the internal audit process in periodic, planned intervals. This should also include changes / improvements to policies, procedures, controls and staffing decisions. The results of audits and periodic reviews are documented, maintained and any recommendations actioned.
Risks and benefits with implementing the standard
The implementation side of the standard may seem overwhelming and costly when compared to the risks perceived by management. Yet, management is often neither aware of all the risks nor of the benefits that come with implementing the standard. These include:
1. An ISMS is a systematic approach to managing the security of sensitive information and is designed to identify, manage and reduce the range of risk exposure to which your information is regularly subjected. This should in itself provide the peace of mind that information within the business environment are safe.
2. ISO 27001 certification proves that threats and vulnerabilities to the system are being taken seriously. Customers and third party suppliers are naturally concerned about the security of their data. Compliance with ISO 27001 gives confidence to stakeholders that international best practice to mitigate such threats and vulnerabilities is being followed.
3. ISO 27001 enables organisations to avoid costly penalties and financial losses. Over the past few years both small and large businesses have been subjected to a number of cyberattacks, which have been extremely costly, both from a regulatory and a reputational standpoint.
In conclusion, no business can afford to be complacent because they can be the victim of a costly security breach, regardless of its size. With proper implementation of standards such as ISO 27001, such risks can be substantially reduced.