CHAPTER 7: RISK MANAGEMENT STRATEGIES

The importance of risk management in the commercial sector was recognised in the Turnbull Report produced by the Institute of Chartered Accountants (www.icaew.co.uk), the recommendations of which became mandatory in December 2000. Broadly, the provisions state that:

•  Risk management is the responsibility of the whole Board of Directors.

•  Organisations should have a system of controls to protect shareholder and company assets.

•  The controls should be reviewed at least annually.

•  Risks should be regularly assessed and include risk management and financial, operational and compliance risks.

The key principles of corporate, IT and project governance were explored in Chapter 5. Effective risk management is a vital and fundamental component for the implementation of governance principles.

This chapter offers some practical suggestions for the creation, development and implementation of a risk management framework for the management of Internet risk within a professional services organisation. Once the risk management framework has been established, the organisation should strive to maximise its effectiveness through the application of governance principles.

The key elements involved in assessing and prioritising risk were examined in Chapter 6. There must also be in place an effective strategy for risk control and management; that is, its elimination or reduction to manageable levels. Risk management involves having clear procedures in place throughout an organisation in order to reduce failure or error.

Risk management strategies must be owned at a senior level within an organisation, so that established procedures and processes are observed, implemented and enforced. This is fundamental to the successful management of risk.

Earlier chapters identified the three areas of technological, legal compliance and operational risk. Since these risks span all areas of an organisation, a wide range of personnel become involved, offering different skills and assuming different responsibilities for implementing solutions. A framework is required within which the functions and responsibilities of different personnel are defined and understood throughout the organisation. This chapter explores the key features of risk management and a framework for the management of cyber risks.

Senior management

Certain characteristics are required of management if a strategy is to be implemented to optimum effect.

There must be leadership at senior level from those with skills and capabilities in Internet technologies. The commitment of the Board or Partners to the implementation of any strategic development is crucial and it is in the interests of the organisation to ensure senior level support for the strategy and its implementation.

Cyber risks introduce new types of risk requiring new management strategies that affect the whole organisation. Management of the strategy may require the recruitment of skilled staff, the retraining of existing staff, or the assignment of new responsibilities. The changes may be significant. If they are to be driven through, a committed approach from senior management is essential.

Effective communications are essential for the proper function of the organisation. Simple, direct, jargon-free, relevant communication, with a focus upon both content and recipient, is the most effective way of delivering an effective strategy.

The strategy may concern staff at all levels, so care must be taken to ensure that communicating the strategy is inclusive. Information should be accurate and timely. Communicating means establishing a dialogue, receiving feedback and making staff feel involved in the process.

Motivation is most easily achieved by treating people differently, listening to their concerns and offering encouragement on subjects that cause stress and difficulty. It is part of the process of communicating effectively. Staff perceiving that their concerns are recognised will more readily participate in changes that affect them.

Risk management principles

The adoption of five key principles is essential when approaching risk management.

The first requirement is a disciplined approach to decision making. There must be a comprehensive understanding of the scope, function and limitation of the strategy to be pursued.

Second, there is a need for a culture of awareness that risk both is present and cannot be ignored. Senior management creates an organisation’s culture and, therefore, bears responsibility for the development of an awareness culture in an enterprise.

Third, there is a need to develop skills in weighing risk against potential opportunity. Encryption technology may involve considerable resources in terms of staff training and the cost of technology. However, if properly managed, the strategy will more than pay for itself if corporate clients are attracted through a perception that the organisation is sensitive to consumer concerns over security and adopts a modern approach to its use of information technology.

Fourth, there is need for an understanding of the wider implications of managing the strategy – an appreciation that the risk may be spread, or that implementation might involve a mix of approaches. This is particularly appropriate for Internet risks, where the risks arise from a variety of areas and where management solutions may be needed for these different risk areas simultaneously.

Fifth, there is a need to appreciate the changing environment, and that the organisation should be in a position to handle changes as they occur. New technology solutions emerge with great frequency. Each solution may have management implications in terms of new functions required of personnel and possibly the emergence of new legal compliance risks.

Objectives

The organisation’s objective is to be responsive both in its approach to problems and to the imposition of internal or external changes. In this way, it will develop a flexibility that will enable it to manage risk and take advantage of business opportunities. The ultimate objective of any management strategy is to improve performance and to develop opportunities. Take as an example an organisation’s website. Examples of risk management objectives might be to:

•  promote the name and reputation of the organisation and protect them from damage;

•  display up-to-date information for consumers, and avoid misinformation;

•  maximise cost-efficiency by, for instance, minimising wasteful telephone resources;

•  increase electronic take-up of the organisation’s services by ensuring a user-friendly site.

Examples of risk management objectives in respect of the use of e-mail might be to:

•  improve the speed and quality of communications by avoiding poor e-mail protocol;

•  encourage information sharing;

•  facilitate communications by avoiding unsupervised e-mail activity;

•  ensure confidentiality by managing encryption services.

Benefits

Risk management offers different benefits at different levels. Careful supervision and management of information on a website supports a strategy of developing a one-to-one relationship with commercial consumers. Ensuring a disciplined approach to the use of internal and external e-mail will increase efficiency. Adopting a controlled approach to use of the Internet will avoid wastage of employees’ time and eliminate possible criminal liability.

The Internet is always available – advice and services may be required at all times. Consumers have expectations in this respect and organisations are expected to respond as part of their marketing strategy. Appropriately devised and carefully implemented strategies enable an enhanced service of this nature to be provided.

Taking a general view, a comprehensive strategy implemented conscientiously and with the commitment of top management enables an organisation to take confident control of its operations and facilitates a proactive approach in the development of its services and clients.

Cyber risk management framework

A cyber risk management framework should be integrated into the framework for the overall management of the organisation. It is important to avoid a cyber risk management strategy being ‘hijacked’ by developing its own identity and pursuing its own agenda, otherwise there is a danger of lack of commitment from those not involved in its implementation and of indifference towards its effectiveness.

Directly beneath and accountable to the Directors or Partners should be a risk manager, together with any team in support. At the same level might be:

•  in-house experts who liaise with the risk manager, but might also offer expert advice independently to the Directors or Partners;

•  internal auditors, for the most part working in conjunction with the risk manager, but also offering audit advice to the Directors or Partners;

•  external sources, such as external consultants and external auditors.

Directors or Partners are then able to take a wider view of the strategy as a whole. Managers manage the risk. In-house experts provide specialist assistance. Auditors provide independent and objective assessments. While there may be some interaction between the various parties, the structure of accountability means that the Directors or Partners are at the centre of the strategy, with an overview.

The management of cyber risks can be mapped across this model. The framework of resources and accountability remains. However, the sources of information for the risk manager will flow from line managers in a number of areas. The risk manager will require advice and information from line managers experienced in technology, legal compliance and operational issues. The risk manager may also need to call upon specialist internal or external assistance. For any assessments the risk manager makes, there will be accountability to the Directors or Partners and perhaps to the auditors.

Risk manager

The risk manager has two functions. The first is to advise the organisation about the risks involved in any particular strategy. The second is to take or assume ownership of the risks. These responsibilities include:

•  ensuring that responsibility for managing is clearly established, communicated, delegated and accepted;

•  ensuring internal controls are adequate;

•  establishing appropriate information systems;

•  reviewing strategic developments.

What are likely to be the requirements of a risk manager? First, as Internet technologies involve a real understanding of information technology, the risk manager must have some grounding in this area if the risks are to be properly assessed and evaluated. There are also legal and operational risks. The risk manager, therefore, requires some awareness of legal and human resource management skills. The risk manager should also have some administrative capability to ensure that risk management strategies are implemented effectively.

The risk manager must be able to take an overview, identifying strategies and objectives across areas in which cyber risks arise, selecting the most suitable options. The risk manager is the focal point for identifying and managing risks as they arise and will consult line managers and exchange information with internal and external experts, as well as receiving the Directors’ or Partners’ views and concerns.

A new skills certification has been launched for risk management professionals – the Certification in Risk and Information Systems Control – commonly referred to as CRISK. This has been developed for IT and business professionals engaged at a personal level in risk mitigation by ISACA (www.isaca.org), the Information Systems Audit and Control Association.

Project manager

The project manager will direct the team alongside the risk manager on the implementation of the strategies approved by the risk manager.

A project is a task intended to be undertaken in specific time limits and with specific individuals and is usually the responsibility of a team. Internet risk management is not only a project in itself, but also comprises a series of sub-projects, such as the introduction of encryption technology and procedures, and the monitoring of employees’ use of e-mail.

From a governance perspective, certain features are critical to the success of a project:

•  continuous alignment with objectives;

•  regular monitoring and auditing;

•  adequacy of resources;

•  a structured approach to risk management.

Where required, the application of project management methodologies and tools such as PRINCE2 and Val IT 2.0, both discussed in Chapter 5, might be adopted.

In leading the project, the project manager should have in mind the need for:

•  executive leadership;

•  senior-level approval and commitment;

•  clear strategies, objectives, allocations of responsibility and accountability, planning and budgetary considerations and resources;

•  monitoring and verifiable measurement procedures as the project progresses.

Alan Calder has addressed this aspect of project management at some length in IT Governance Today: A Practitioner’s Guide, IT Governance Ltd. (2005).

Cyber risk team

Emily Freeman of Lockton International offers some helpful markers in identifying the key issues facing a cyber risk management team:

The key issue for proper management of Internet risk is that there is a cross-functional structure of cyber risk management, and that risk management is not structured in individual silos.

Typical areas that should be represented within the risk committee or team structure include the following:

•  internal audit/compliance;

•  risk management;

•  IT security;

•  legal;

•  business units/operations;

•  procurement.

The risk management strategy should be supported at board/senior executive level and managed and implemented by various individual managers by function, and a standing risk committee with clear lines of responsibility and accountability.

Skills

Managing cyber risks calls for skill and capability in a variety of specialist areas, such as risk management, information security, legal and regulatory issues, personnel management and administrative functions.

Other skills may also be required, depending upon the size of the organisation, the way it employs Internet technologies and the electronic services it provides. With such a wide variety of disciplines, the logical approach is to create a cyber risk team of suitably skilled and qualified individuals equipped to address and manage the needs of the organisation.

The most appropriate leader of the team is the risk manager. The risk manager must be capable of articulating the advice of the team to the Directors or Partners and acting as a conduit.

Team members should have interpersonal skills to handle feedback in respect of the new issues being addressed. Teamwork requires conformity to a common purpose and mutual support. A team develops through a shared level of dependency and mutual interest and is most effective when its performance as a unit is of greater value than the performance of the individual team members.

The team should document its own risk control plan, identifying the particular cyber risks to which the organisation is exposed and the solutions or controls to be adopted. It should dovetail with the organisation’s business plan. If the principal business plan changes, the risk control plan should be amended to take account of any new risks to which the organisation may be exposed.

Roles

The structure of the team should be documented, so that the framework for the management of the project is clearly understood. A documented job description clarifies areas of responsibility and accountability.

A convenient way of clarifying accountability should be to make each team member accountable to the risk manager in the first instance. In turn, the risk manager should be accountable to a specific director, partner or committee for the performance of the team – in effect, a line management approach.

There should be specific assignment of responsibility for particular functions – technology risks, legal compliance risks and operational risks. In addition, there should be a board or partnership representative. The team may wish to co-opt specific members for particular projects. These might include, for instance, representatives in respect of finance, marketing or public relations.

Team members should be properly inducted on appointment and the new appointee should be informed of the responsibilities and functions of the other team members, their relationship with each other and team operating procedures. New Internet risks are always emerging because of the shifting and mercurial nature of Internet technologies so a framework for the education and training of all team members is necessary.

The composition of the cyber risk team might resemble this:

•  the risk manager;

•  the technology risk representative(s);

•  the legal compliance risk representative(s);

•  the operational risk representative(s);

•  a board/partnership representative(s);

•  other optional representatives.

Consultants will be drawn in where specialist expertise is required, especially for such issues as business continuity and disaster recovery.

It is important to ensure adequate awareness of:

•  the objectives of the team;

•  the steps to be taken by each team member;

•  the respective responsibilities of each team member;

•  the respective accountabilities of each member;

•  induction procedures;

•  training and skills development;

•  audit procedures.

Strategies

It is important to link the operations of the cyber risk team with the business plan of the organisation to ensure that any risk arising from the business plan will be identified. The organisation’s business plan should identify any new, extended or improved services to be provided. The response of the team should be to identify any cyber risks to which the new range of services exposes the organisation and to incorporate this in its risk control plan.

Thought should be given to the type of cyber risk that might result from any new business developments. For instance, if the organisation proposes to introduce a system of electronic payments for certain of its services, the cyber risk team should identify and address any new risks.

Business environments change so rapidly that long-term planning is often impractical. The team’s risk control plan should reflect, in broad terms, the lifespan of the principal business plan. The rapid development of new technology solutions may require the team to recommend the adoption of a particular solution not available when the plan was conceived. The implementation of new legislation might give rise to a cyber risk that did not exist when the principal business plan was prepared. In such situations, the cyber risk team becomes a major asset to the operation of the organisation, its vigilance extending its function from reactive risk avoidance to proactive risk anticipation and introducing new ideas for business development.

Projects

The team will need to define closely the nature of the risk and the type of hazard presented to the organisation, and consider its likely duration and frequency, and whether it is an internal risk, for example the behaviour of employees, or an external risk, for example the risk of virus infiltration.

The first task is to define at an early stage how the project will be managed and resourced. It will also be necessary to identify the scope and objectives of the project. The project may be relatively straightforward, for example the design of a website. A much more complex project might involve the integration of a customer’s or client’s security systems with those of the practice.

Objectives

The team’s objective is to control, reduce or eliminate the risk. A decision must, therefore, be made on the organisation’s tolerance to each risk. For instance, the installation of anti-virus software will protect against known viruses, not against malicious code that is written at a later date. The best that can be done is to reduce or minimise risk by ensuring that anti-virus software is regularly updated.

There are three objectives open to the risk management team. First, the risk might be tolerated if it is not cost-effective to manage it. If an organisation proposes to advertise its services and is concerned about the infringement of applicable codes of advertising in foreign jurisdictions, the organisation might take an expedient view and place a notice on the site to the effect that the advertisement is directed to, say, those seeking advice or services in England and Wales only. The risk is reduced, leaving residual risk which can be tolerated.

Second, steps can be taken to eliminate the risk. Elimination of risk is problematic in terms of Internet technologies because of their novel features and the relative uncertainty of their implications. However, a simple example might be to eliminate the risk of infringing data protection provisions when obtaining marketing information about visitors to the firm’s website by taking steps to ensure that informed consent is obtained to the process. Once eliminated, the risk can be monitored for any change from time to time.

Third, steps can be taken to transfer the risk. Probably the most likely example of this is to arrange insurance cover. Insurance cover is not a substitute for efficient management strategies, but is an essential support when all possible steps have been exhausted in addressing a specific risk.

In formulating a plan, a useful approach is to document the objectives in the risk control plan, including an executive summary, types of emergency, responses, identification of responsibilities and documentation.

Resources

Resources are ultimately for senior management to consider and will represent a balance between the degree of the risk and the cost of managing it in an acceptable way. The balance between cost and risk is a basic formula to be considered in every management strategy. As the use of Internet technologies develops, organisational expenditure on its risk management strategy will increase.

In deciding the budget, the organisation will need a good understanding of the level(s) of risk to which it is exposed and the degree of its vulnerability. Internet technologies introduce a wide variety of risk and the budget should be proportionate to the risk involved. As the organisation is taking a strategic approach to budgeting, enterprise-wide financial support should be provided. There is little point in providing support departmentally.

In terms of technology risks, the principal items of expenditure are likely to involve hardware and software requirements for implementing solutions, importing whatever technology solutions are needed to meet identified risks. In terms of legal compliance risks, recourse to a daily or weekly legal updating newsfeed or news service may be necessary. However, there may be other items. For instance, if the team were to recommend that the firm should achieve certification under relevant British or international standards, the anticipated expenditure would need to be included in the budget. From time to time, legal and professional advice is likely to be required.

Financial resources should be allocated in accordance with the agreed priorities. It is important that expenditure is shown to be a return on investment. The effectiveness of a strategy is not governed by the amount of expenditure, but by the effectiveness of the expenditure in terms of meeting the organisation’s need. The easiest way to identify potential expenditure is for each team member to assess expenditure required in his or her own domain and to present a case for it to the risk manager. The Board or Partnership ultimately sanctions expenditure for resources, emphasising the importance of partner-level involvement in the team.

Authorisation

Authorisation procedures should be in place. This is an indication of commitment at the highest level to managing cyber risks and it ratifies any subsequent action that may be taken by the management team.

The level at which authority for a particular action should be given will depend upon the nature of the action to be taken. The Directors or Partners may agree to delegate all decisions to the management team, particularly if there is a board or partnership representative. On the other hand, the decisions that the management team are required to take may have significant strategic, operational or financial implications. In that case, the Directors or Partners may prefer to receive recommendations for strategies for formal endorsement or amendment as appropriate.

Decisions

Once the risk control plan has been developed, thought must be given to the way in which the risks can be treated. It can be helpful to prepare a matrix for this purpose, which can take the form of a grid of four squares. One illustration of how simple this can be is to create a grid. Along the base line is a measurement of consequence, from ‘low’ to ‘high’. Along the vertical line is a measurement of likelihood, also from ‘low’ to ‘high’.

The bottom left square of the grid represents a risk of low consequence and low likelihood and, therefore, may be a risk requiring toleration, or no action. The bottom right square represents a risk of high consequence but low likelihood and, therefore, might be a transferable risk, perhaps through insurance. The top left square represents a risk of high likelihood but low consequence and, therefore, should be covered in the risk control plan. The top right square represents a risk of high likelihood and high consequence and, therefore, requires immediate elimination.

Unless a particular risk, or set of risks, can be eliminated entirely, there will be some residual risk. It is important to understand the distinction between this residual risk on the one hand and inherent risk on the other hand.

Management is largely concerned with inherent risk, namely risk that is critical and requires immediate attention. In the first instance, the team will be concerned with the control of inherent risk. Once inherent risk is controlled, some residual risk may remain. Senior management will be concerned that this remains residual and that it is manageable without further action. The level of residual risk, therefore, depends upon the degree to which the inherent risk can be controlled.

Implementation

Responsibility for implementation lies with those involved in complying with any policy developed by the management team. For example, those using e-mail will be responsible for ensuring that both they and their subordinates comply with any declared e-mail acceptable use policy.

Responsibility also lies with the risk management team itself. The management team will be accountable to the Board or Partnership for ensuring compliance with adopted policies and solutions. The authority of the management team might be underpinned by the presence of a director or partner on the team, so that compliance is ensured.

Records

There are important reasons for maintaining adequate records of incidents. A full record will state the problem, the progress and the objectives of any solution. Adequate details will also be available in the absence, for example through illness, of the team member responsible. Records will also help in the event of any claim against insurers and enable the organisation to develop an archive of experience in handling incidents and problems, as well as helping with audits.

Some record will be needed to identify and distinguish the different projects in which the team might become involved. The projects may vary considerably. The team might be asked to undertake a risk assessment on the installation of software for an electronic payments system. It may be asked to investigate the feasibility of providing services via an extranet, or to assess the implications of allowing a particular customer or client access to the organisation’s intranet. There will also be what may be termed ‘casework’, where the team investigates security incidents, client complaints or other external issues arising from its electronic services.

It is sensible to maintain a case file for each ‘case’ assigned to the cyber risk team. Certain information should be recorded, such as: the team member responsible; the nature of the incident; any risk assessment details; external assistance required, for example from consultants; the interests of any third parties; the policy approved by the team; and critical dates for the project.

The team should make recommendations for the adoption of policies and procedures to manage a particular risk. The most obvious examples are the adoption of e-mail use or Internet access policies. More specifically, particular measures may be needed for a particular customer or client.

It is important that procedures adopted by the organisation are properly documented and circulated. They should be accessible to others with whom the organisation has dealings, such as financial service advisers.

The team will collect a considerable body of data. It is sensible to maintain a formal database to avoid duplicating original research.

There should be an index of each incident, identifying the team member responsible for its management. There should be a record of the action identified by the team and a progress chart to indicate the steps taken, identifying any key dates. The objectives of the strategy and its potential impact, internally and externally, should be noted. Changes in the adopted strategy should be noted. If capable of assessment, there should be some record of the costs involved at each stage, so that appropriate and timely budgetary control can be exercised.

The use of external resources, for example consultants, should be recorded, together with a note of all others whose participation is essential for the effective management of the solution. These may include specific individuals in the practice, or even whole departments where the involvement of departmental heads will be required.

The organisation should be able to analyse the cost of each cyber risk ‘incident’ that arises. Records should be maintained detailing the cost in terms of expense and time in rectification of any security breaches, resolution of communication problems or addressing of compliance problems.

Monitoring

Risk management is a continuous process and must be flexible enough to meet continuously evolving changes. After implementation, it will be necessary to monitor progress on both a short-term and long-term basis.

Monitoring and review of incident files is important because it tests the effectiveness of a proposed solution adopted to meet a particular problem or risk and offers an opportunity for a change in strategy, or adoption of an alternative solution, if the chosen solution is ineffective.

The monitoring process will be concerned with a number of different outcomes. The most immediate will be the extent to which the risk has been eliminated or resolved in accordance with the project plans. The risk manager will also need to ensure that the controls remain in place and that awareness training continues as required.

There should be specifically assigned responsibility for the monitoring and supervision of the team’s risk management strategy. There should be regular review and reporting procedures, perhaps as an agenda item for each meeting of the management team.

Logically, the leader of the management team should be responsible for the review, perhaps with any board or partnership representative. Reports would be received from each of the specific risk area (technology, legal and operational) representatives. Each representative would report upon existing risk areas, and discuss the impact of the adopted strategy, and review and evaluate its impact.

If for any reason the risk control plan or the project plan has not been implemented as required, appropriate adjustments will be needed. The same applies if the results are not as intended, even though implementation is proceeding as planned. Either situation may involve minor corrective action or the need to revisit the risk assessment.

Audits

Audits are a critical part of the risk management process. Organisations are now under considerable pressure to identify and address risk issues. Boards of directors and partnerships have to show stakeholders that risks are being acceptably managed. Audits evaluate the effectiveness of risk management strategies and recommend improvements. They determine whether key risks are being controlled, if controls are operating effectively, and whether management is identifying and responding to emerging risks, through efficient and effective accountability.

In undertaking an audit, either internally or externally, management should establish the purpose of the audit; identify the key factors supporting the evaluation of its findings; identify the key factors to employed in audit testing; and, when receiving the report, it should then evaluate, implement, report, monitor and improve its risk management systems and procedures.

Any audit of risk management processes should include a focus on governance structures. There should be an unambiguous assumption of leadership by the Board or Partnership, supported by: clear documentation specifying lines of responsibility and accountability; clearly identified policies and procedures; and identifiable processes for planning, detection, monitoring, reporting and reviewing risk management strategies.

Information security is a critical area of risk management for all organisations. Typical areas that the organisation will need to audit include the effectiveness of:

•  network security technology;

•  website security technology;

•  IT systems security technology;

•  remote, mobile and wireless security technology;

•  PCI compliance technology;

•  communications (e-mail, instant messaging, VoIP) security technology;

•  data security technology.

Richard Spooner, Head of IT Advisory at Baker Tilly, says that audits are highly challenging for the accountancy profession:

From the perspective of professional accounting practice, one consistently worrying risk relates to the provision of auditing services. The proliferation of electronic transactions gives rise to considerable auditing risks. Electronic transactions are not transparent in the same way as paper-based transactions. They are difficult to identify and there may be no formal permanent records of transactions. In turn, this makes it very difficult, if not impossible, to establish an audit trail.

Auditing the business of, for instance, city traders and, say, Internet gaming companies, presents considerable professional risks to auditors when audit trails are so difficult to identify. Furthermore, this extends over organisations of all sizes, including, for example, supermarkets in the context of complex supply chains controlled by computerised ordering systems.

Audit services are offered by a number of organisations and various resources are available offering help and guidance in approaching an IT audit – see, for instance, Praxiom Research Group Ltd. (www.praxiom.com) for an example of critical issues to be addressed in information security auditing.

From an IT governance perspective, what are the procedural criteria for an IT security audit?

Alan Calder5 suggests auditors should conduct a risk-based audit, usually based on four procedures:

1  Determine the scope of the analysis of the IT processes by their support of critical business processes and processing of financial information.

2  Obtain background information about the supplier’s IT environment, its underlying platforms and networks.

3  Identify the IT processes which have a direct and important effect on processing financial information.

4  Evaluate the effectiveness of each of the major IT processes and related internal controls.

Documented processes, procedures, mechanisms, tools and controls should be available to the auditors and the audit should cover architecture, platform and application technologies. Specialist auditors may be required for specific IT systems, and a range of audits may be needed to address individual objectives.

Chapter 5 identified IT and project governance frameworks that might underpin an Internet risk management project and this chapter suggests how a management framework might be constructed in order to meet the demands of the many and various types of Internet risk.

It is important not to confuse governance and management. Governance is not management and management is not governance. Management is concerned with the actual conduct and implementation of a strategy. Governance is a framework which supports effective management and provides tools such as industry standards and methodologies that help assure the success of management strategies and the outcomes of projects undertaken in their implementation.

Standards certification

A number of British and international industry standards, many supported by codes of practice, have been developed for the certification of organisations with regard to management of information security strategies and their risks. This section identifies the principal standards available. Every organisation is different and will need to identify the risks to which it is exposed and then consider which, if any, of the standards are most appropriate for the management of its risks.

Corporate governance of information technology

BS ISO/IEC 38500:2008

Chapter 5 identified principles of corporate governance; in particular, the need for governance principles to be applied to IT strategies and how BS ISO/IEC 38500:2008 provides a framework for this. The standard is not directly concerned with risk, but rather provides a framework of good practice for organisational processes and procedures which, if adopted, help minimise exposure to risk in the execution of business processes.

Project management

BS 6079:2002

As explained in Chapter 5, the adoption of a strategy for managing Internet risk and information security is a project in the same way as any other business project. On the same principles as BS ISO/IEC 38500:2008 above, this standard provides an organisational framework of processes and procedures which help to minimise exposure to risk arising in the development, management and execution of projects.

Risk management

BS 31100:2008

The code of practice, BS 31100:2008, for risk management provides recommendations for the framework, process and implementation of risk management. It is designed for: CEOs, CFOs, CROs, CIOs, COOs, CTOs, chairmen and company secretaries, managing, finance and IT directors, and risk managers, among a number of other categories.

The standard provides recommendations for the framework, process and implementation of risk management and should be used for:

•  ensuring a business achieves its objectives;

•  ensuring risks are proactively managed in specific areas or activities;

•  overseeing risk management in an organisation;

•  providing assurance on risk management strategies;

•  reporting to stakeholders, for example through annual financial statements, corporate governance reports or corporate social responsibility reports.

The standard establishes the principles and terminology for risk management. It also gives recommendations for the model, framework, process and implementation of risk management gained from experience and good practice.

Business continuity

BS 25999-1:2006 business continuity: code of practice

BS 25999-2:2007 business continuity: specification

These standards represent respectively the code of practice and the specification for business continuity. The code provides a comprehensive set of controls based on best practice throughout the business continuity management life cycle.

The standard specifies the requirements for establishing, implementing, monitoring, reviewing, exercising, maintaining and improving a documented business continuity plan. The standard does not seek to impose uniformity; organisations should develop strategies for their own needs.

BS 25777:2008 information and communications technology continuity management; code of practice

This code of practice is intended to support a wider business continuity plan and addresses the subset of ICT. The code covers such issues as ICT continuity programme management and ICT continuity strategies and their development, implementation exercising, testing, maintenance, review and improvement.

The code supports the process towards certification under BS 25999-2:2007: Specification for business continuity management.

BS ISO/IEC 24762:2008 information technology: security techniques: guidelines for information and communications technology disaster recovery services

This standard offers guidance on the provision of disaster recovery services as part of business continuity management. The standard is expressed as especially suited to outsourced service providers as it describes the best practices that suppliers should consider. It highlights specialist requirements such as special encryption software, secured operation procedures, equipment, knowledgeable personnel and application documentation.

Information security

BS ISO/IEC 27001:2005 information security

This standard provides a benchmark for the management of information security management systems (ISMSs). It provides a specification for ISMSs and the foundation for third-party audit and certification. It is compatible with other management system standards, such as ISO9001 and ISO14001, and will assist in the integration and operation of an organisation’s overall management systems. This specification replaces BS 7799-02:2002.

The principal elements of the standard address:

•  definition, requirements, establishment, implementation, monitoring, review and improvement of an ISMS, together with supporting documentation;

•  management issues including responsibilities, resource issues, resource provision, commitment, training awareness and competence;

•  audit and review processes, including input and output, improvement processes and corrective and preventative action through prescribed control mechanisms.

There are also a number of related standards addressing the management of ISMSs. They include:

•  ISO/IEC 27005:2008: Information security techniques;

•  ISO/IEC 27002:2005: Information technology security techniques: code of practice;

•  BS ISO/IEC 27004:2009: Information security techniques: information security management: measurement.

BS ISO/IEC 27003:2010 information security management systems: implementation guidance

BS ISO/IEC 27003:2010 focuses on the critical aspects needed for successful design and implementation of an ISMS in accordance with ISO/IEC 27001:2005.

It describes the process of ISMS specification and design from inception to the production of implementation plans. It describes the process of obtaining management approval to implement an ISMS, defines a project to implement an ISMS (referred to in ISO/IEC 27003:2010 as the ISMS project), and provides guidance on how to plan the ISMS project, resulting in a final ISMS project implementation plan.

The process described within this international standard has been designed to provide support for the implementation of ISO/IEC 27001:2005.

BS ISO/IEC 27003 is intended to be used by organisations implementing an ISMS. It is applicable to all types of organisation of any size. Each organisation’s complexity and risks are unique, and its specific requirements will drive the ISMS implementation.

BS ISO/IEC 27004:2009 information security management – measurement

BS ISO/IEC 27004 is the standard that provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an ISMS and controls or groups of controls, as specified in BS ISO/IEC 27001.

This would include policy, information security risk management, control objectives, controls, processes and procedures, and supports the process of revision by helping to determine whether any of the ISMS processes or controls need to be changed or improved. It needs to be kept in mind that no measurement of controls can guarantee complete security.

The implementation of this approach constitutes an information security measurement programme. The information security measurement programme assists management in identifying and evaluating non-compliant and ineffective ISMS processes and controls, and prioritising actions associated with improvement or changing these processes and/or controls. It may also assist the organisation in demonstrating ISO/IEC 27001 compliance and provide additional evidence for management reviews.

BS ISO/IEC 27033-1:2009 information technology security: network security

The majority of commercial organisations have their information systems connected by networks, with the network connections being one or more of the following:

•  within the organisation;

•  between different organisations;

•  between the organisation and the general public.

The purpose of BS ISO/IEC 27033 is to provide detailed guidance on the security aspects of the management, operation and use of information system networks, and their interconnectivity.

Those individuals within an organisation who are responsible for information security in general, and network security in particular, should be able to adapt the material in this standard to meet their specific requirements.

Data protection

BS 10012:2009 specification for a personal information management system

Data protection issues involve both technology and compliance issues. A British standard has been published specifying the requirements for a personal information management system. It provides an infrastructure that includes the implementation of a framework for compliance with the DPA.6

It is intended for adoption by organisations of any size and provides a framework for managing personal data that meets compliance standards of both internal and external audits.

Even a brief examination of the key principles of these standards demonstrates their importance to organisations using the Internet as a business strategy. Certification under ISO/IEC 27001:2005, for instance, is recognition of the commitment of the organisation in aspiring to particular levels of excellence in the management of ISMSs. The cyber risk team model is an appropriate vehicle for moving toward certification. The cyber risk team could easily assume responsibility for the certification process.

Robert Jackson of Capgemini says:

Standards in Internet risk and security are vital – they are the currency of information security. They are the only reliable evidence of assurance.

The problem with standards is that there are many of them and it is difficult to keep up with them. They are not a panacea; and the question needs to be asked as to whether some standards go far enough. Standards are the start and not the end.

However, certain practicalities require consideration. Seeking certification is likely to be expensive, particularly in terms of staff time. A glance at the key principles illustrates the procedures to be in place to comply with the standard.

Smaller organisations, in particular, may find it difficult to divert the significant resources required for compliance. Larger organisations with employees dispersed over a number of offices may find the quality of control and management that the standard offers to be an attractive proposition.

Andrew Rose of Clifford Chance has strong personal views on benchmark standards:

My personal view, which may not be widely shared, is that the legal sector would benefit from more clearly defined regulation – perhaps in the form of a requirement to conform to ISO/IEC 27001:2005, the standard concerning information security. Although the solicitors’ representative and professional body has issued, for instance, guidelines on the use of e-mail and information security, they are generally very broad because they have to address the needs of both the largest law firm and sole practitioners.

We are now finding that clients are developing and increasing interest in, and influence over, compliance with ISO/IEC 27001:2005. There is also a drive in this direction from cyberliability insurers.

Certainly insurers are now likely to take more than a passing interest in whether an organisation has achieved certification; and, as Andrew Rose asserts, certification may also become a marketing issue, as customers, clients and strategic allies become more sensitive to the need to ensure the security of increasing volumes of sensitive data passing between networks, and insist on certification under the standard.

However, Emily Freeman of Lockton International cautions against complacency over achieving certification:

While adoption of such standards is desirable, it should be remembered that certification is not a guarantee of security but simply a benchmark of best practice. A continuously improving defence in depth is recommended with regard to data security.

Risk compliance provisions

Two further provisions require consideration in the context of managing Internet risk.

Sarbanes-Oxley Act 2002

This Act applies to publicly listed companies and management and public accountancy firms in the USA, together with UK subsidiaries of these organisations, providing the holding company has a significant interest and influence over the internal controls and profitability of the subsidiary. The Act does not apply to private companies.

Organisations are categorised by ‘large accelerated filers’ with a worldwide market value of over $700 million; ‘accelerated filers’ with a worldwide market value of over $75 million but less than $700 million; and ‘non-accelerated filers’ comprising small companies.

On 23 May 2007, the Securities and Exchange Commission issued guidance to non-accelerated filers (Sarbanes Oxley (SOX) compliance, SOX 404, Sarbanes Oxley information for non-accelerated filers) setting out the requirements for management and audit reports for organisations with a worldwide market value of under $75 million.

The provisions of the Act are extremely complex and the consequences of non-compliance are serious. An organisation that is concerned as to whether it is caught by a requirement to comply with the Act and then subsequently to meet compliance requirements, should seek professional advice in every case.

The key provisions which apply to listed companies, and to which subsidiary UK companies should have regard, are broadly summarised below:

•  Section 302 prescribes the content of periodic statutory financial reports and certification requirements.

•  Section 401 requires financial statements to be accurate and include material information.

•  Section 404 requires publication in annual reports of the scope, adequacy and effectiveness of the internal and financial controls.

•  Section 409 requires disclosure of changes in financial circumstances.

•  Section 802 imposes penalties of imprisonment for acts committed in respect of financial records with intent to obstruct a legal investigation.

Basel Committee

In February 2003, the Basel Committee of the Bank for International Settlements published Sound Practices for the Management and Supervision of Operational Risk to address risk issues in the banking sector. This provides guidelines for good practice in the areas of:

•  development of an appropriate risk management environment;

•  risk management procedures;

•  the roles and responsibilities of supervisors;

•  risk disclosure requirements.

Further details are available at www.bis.org.

Financial Services Authority

The Financial Services Authority (FSA) periodically publishes guidance and white papers relating to systems and controls, suggesting good practice. Further details are available at www.fsa.gov.uk.

These three sources introduce compliance provisions which relate primarily to the financial services sector. However, the importance of the provisions lies both in their regulatory enforceability, and also in their alignment with principles of good governance and risk management. To the extent that effective management of Internet risk and information security has financial implications and consequences for an organisation, the system of internal controls required by these provisions should be implemented.

5 IT Governance: A Practitioner’s Guide, Calder A, IT Governance Ltd. (2005).

6 Permission to reproduce extracts from the British standards quoted on pages 97, 106, 149-155 is granted by BSI. British standards can be obtained in PDF or hard-copy formats from the BSI online shop: www.bsigroup.com/shop or by contacting BSI customer services for hard copies only: telephone +44 (0)20 8996 9001, e-mail [email protected].

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.147.78.151