Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

CHAPTER 4
Information Asset Risk Planning and Management

Information asset risk planning is a key information governance (IG) program activity. In fact, much of IG is about managing information risk, and often, information risk analysis is a regulatory obligation.¹ Many times organizations have identified risks to information, but have not taken the appropriate risk assessment and mitigation steps to counter those risks.

There are various types of risks to information assets, including the risk of noncompliance with legal regulations; technology risks centered around cybersecurity and system maintenance; external and internal data breaches; management risks related to managing change, system planning, and providing proper training; and even natural disasters or rare disasters caused by humans, such as the 9/11 attacks in New York City.

Information asset risk planning requires that the organization take a number of specific steps in identifying, analyzing, and countering information risks:

Identify risks. Conduct a formal process of identifying potential vulnerabilities and threats (both external and internal) to information assets.
Assess impact. Determine the potential financial and operational impact of the identified adverse events.
Determine probability. Weigh the likelihood that the identified risk events materialize.
Countermeasures. Create high-level strategic plans to mitigate the greatest risks.
Create policy. Develop strategic plans into specific policies.
Establish metrics. Determine metrics to measure risk reductions from mitigation efforts.
Assign responsibilities. Identify those who are accountable for executing the new risk mitigating processes and maintaining the processes in place.
Execute plan. Execute the information risk mitigation plan.
Audit, review, adjust. Audit the information risk mitigation plan and make adjustments.

Critically, these risk mitigation efforts must be tested and audited periodically not only to ensure conformance to the policies, but also to provide a feedback loop to revise and fine-tune policies and optimize business processes.

Some key benefits that flow from this information risk planning process include:

Protection and preservation of information assets
Protection of the organization's reputation, brand, and equity value
Organizational “defense in depth” for privacy and cybersecurity
A direct connection to enterprise information security practices which help to assure consumer or customer privacy
Privacy controls that are clearly defined which reduce risks and support compliance efforts
Privacy requirements that are measurable and enforceable
Accountability in cybersecurity and privacy processes²

Depending on the jurisdiction, information is required by specific laws and regulations to be retained for specified periods (a compliance risk), and to be produced in specified situations. To determine which laws and regulations apply to your organization's information, research into the legal and regulatory requirements for information in the jurisdictions in which you operate must be conducted.

The Information Risk Planning Process

The risk planning steps, delineated in more detail, are as follows.

Step 1: Conduct a Formal Process of Identifying Potential Vulnerabilities and Threats

Some primary threats to information assets include:

Breaches. A key threat to all organizations is major data breaches. Breaches can not only compromise confidential information, but they also can represent a breach of consumer trust, which damages the organization's reputation and equity value. It also negatively affects employee morale and the ability to retain employees. It is costly to prepare for and prevent breaches, so threats must be prioritized based on the specific organization's risk profile. According to a recent study by the Ponemon Institute, the cost of a data breach averages almost $4 million, and the average cost for each lost or stolen record containing sensitive and confidential information was $148.³

Ransomware. Ransomware is a newer type of risk that organizations face. Ransomware attacks typically occur when hackers intrude computer systems and lock down crucial files with encryption, and then demand a fairly modest (although this has been increasing) ransom payment to unlock the files. Perhaps the most widespread ransomware attack to date occurred in May 2017 with the Wannacry attacks that infected over 200,000 Windows systems including computers at 48 hospital trusts in the United Kingdom, crippling operations. The attack spread to European countries and to the United States, and even included attacks that compromised medical devices.⁴ Hackers know that daily hospital operations depend on IT systems and that often management will decide to pay rather than disrupt operations. Rogue hackers are getting more sophisticated and savvy. They recently introduced Ransomware-as-a-service kits that they sell to other rogue operators, which can be customized to hit a particular target. Often the developer of the kit will take a percentage of the proceeds of successful ransomware attacks.⁵

Noncompliance fines and sanctions. Another major risk is compliance violations, and the potential for large fines. A major violation of the EU GDPR privacy regulation can result in a fine of as much as 4% of total annual revenues. In the United States, the new (2020) California Consumer Privacy Act also will require strict privacy requirements. Further, Sarbanes-Oxley violations for public companies can run into the millions of dollars, as can HIPAA violations for healthcare institutions. These actions have not only immediate financial impact but also can erode the organization's reputation in the marketplace, which would impact future revenues and even shareholder equity value.

Other compliance and legal risks. There are additional compliance and legal risks to identify and research. Federal, provincial, state, and even municipal laws and regulations may apply to the retention period for business or consumer information. Organizations operating in multiple jurisdictions must maintain compliance with laws and regulations that may cross national, state, or provincial boundaries. Legally required privacy actions and retention periods must be researched for each jurisdiction (country, province, state, and even city) in which the business operates, so that it complies with all applicable laws. Legal counsel and records managers (or the IG lead) must conduct their own legislative research to apprise themselves of mandatory information retention requirements, as well as privacy considerations and requirements, especially in regard to PII and PHI. This regulatory information must be analyzed and structured and then presented to legal staff for discussion. Then further legal and regulatory research must be conducted, and firm legal opinions must be rendered by the organization's legal counsel regarding information retention and privacy and security requirements in accordance with laws and regulations. This is an absolute requirement. The legal staff or outside legal counsel should provide input as to the legal hold notification (LHN) process, provide opinions and interpretations of law that applies to a particular organization, provide input on the value of formal records to arrive at a consensus on records that have legal value to the organization, and construct an appropriate retention schedule.

Legal requirements take priority over all others. The retention period for confidential data or a particular type of record series must meet minimum retention, privacy, and security requirements as mandated by law. Business needs and other considerations are secondary. So, legal research is required before determining and implementing retention periods, privacy policies, and security measures. In identifying information requirements and risks, legal requirements trump all others.

In order to locate the regulations and citations relating to retention of records, there are two basic approaches. The first approach is to use a records retention citation service, which publishes in electronic form all of the retention-related citations. These services are usually purchased on a subscription basis, as the citations are updated on an annual or more frequent basis as legislation and regulations change.

Another approach is to search the laws and regulations directly using online or print resources. Records retention requirements for corporations operating in the United States may be found in the Code of Federal Regulations (CFR). “The Code of Federal Regulations (CFR) annual edition is the codification of the general and permanent rules published in the Federal Register by the departments and agencies of the federal government. It is divided into 50 titles that represent broad areas subject to federal regulation.”⁶

For governmental agencies, a key consideration is complying with requests for information as a result of the US Freedom of Information Act (FOIA), Freedom of Information Act 2000 (in the UK), and similar legislation in other countries. So the process of governing information is critical to meeting these requests by the public for governmental records.

Step 2: Determine the Potential Financial and Operational Impact of the Identified Adverse Events

Benchmarking data from peer organizations provides reasonable projections of potential financial and operational impact. For instance, when banks of similar size and business model are fined for noncompliance, others in that market can expect the regulators to come knocking. That is, if Banks A and B have been fined over $1 billion for noncompliance, then Bank C can reasonably presume that they are facing the same size financial risk. Also, a list of major breaches and ransomware attacks at peer organizations and their estimated costs should be considered in the calculations of potential financial impact. These estimates should then be normalized and brought into line with the size of an organization, with considerations given to the competitive, regulatory, and economic environment within which it operates.

Step 3: Weigh the Likelihood That the Identified Risk Events Materialize

In this step, percentages are assigned to the potential adverse events that have been identified. Whereas a major breach event could cost the organization, say, $5 million dollars, its likelihood may be low, in the 3–5% range. Risk management professionals use certain tried and true methodologies to assess the likelihood that an event may occur, which may be leveraged. Or possibly, senior management may have internal models developed to assess risk likelihood that are specific to the organization. Absent standard methodologies, the IG Steering Committee should utilize their experience and information from external input to assess the likelihood that an adverse event may occur.

Once percentages have been assigned, an expected value (EV) calculation can be made. For instance, if a major breach would cost an estimated $5 million, and its likelihood is 5 percent, then the expected value of the financial impact of that event is:

If the exposure from a compliance violation has led to fines at peer organizations in the $2 million range, and your organization holds a fairly weak compliance posture, perhaps the likelihood is 10 percent. The EV calculation would then be:

And in like manner the potential financial impact of other identified risk events may be calculated, so they can then be ranked and prioritized. This gives executive management the information they need to make budget decisions. Clearly, the risks that are most likely to have a greater financial impact are those that must be mitigated as a priority.

Many organizations create a formalized risk profile to more accurately assess risks the organization faces.

Create a Risk Profile

According to ISO, risk is defined as “the effect of uncertainty on objectives” and a risk profile is “a description of a set of risks.”⁷ Creating a risk profile is a basic building block in enterprise risk management (yet another ERM acronym), which assists executives in understanding the risks associated with stated business objectives, and allocating resources, within a structured evaluation approach or framework.

There are multiple ways to create a risk profile, and how often it is done, the external sources consulted and stakeholders who have input will vary from organization to organization.⁸ A key tenet to bear in mind is that simpler is better, and that sophisticated tools and techniques should not make the process overly complex. Creating a risk profile involves identifying, documenting, assessing, and prioritizing risks that an organization may face in pursuing its business objectives. Those associated risks can be evaluated and delineated within an IG framework.

The corporate risk profile should be an informative tool for executive management, the CEO, and the board of directors, so it should reflect that tone. In other words, it should be clear, succinct, and simplified. A risk profile may also serve to inform the head of a division or subsidiary, in which case it may contain more detail. The process is applicable and can also be applied to public and nonprofit entities.

The time horizon for a risk profile varies, but looking out three to five years is a good rule of thumb.⁹ The risk profile typically will be created annually, although semiannually would serve the organization better and account for changes in today's dynamic business and regulatory environment. But if an organization is competing in a market sector with rapid business cycles or volatility, the risk profile should be generated more frequently, perhaps quarterly.

There are different types of risk profile methodologies, with a “Top 10” list, risk map, and heat map being commonly used. The first is a simple identification and ranking of the 10 greatest risks in relation to business objectives. The risk map is a visual tool that is easy to grasp, with a grid depicting a likelihood axis and an impact axis, usually rated on a scale of 1–5. In a risk assessment meeting, stakeholders can weigh in on risks, using voting technology to generate a consensus. A heat map is a color-coded matrix generated by stakeholders voting on risk level by color (e.g. red being highest).

Information gathering is a fundamental activity in building the risk profile. Surveys are good for gathering basic information, but for more detail, a good method to employ is direct, person-to-person interviews, beginning with executives and risk professionals.¹⁰ Select a representative cross-section of functional groups to gain a broad view. Depending on the size of the organization, you may need to conduct 20–40 interviews, with one person asking the questions and probing, while another team member takes notes and asks occasionally for clarification or elaboration. Conduct the interviews in a compressed timeframe—knock them out within one to three weeks and do not drag the process out, as business conditions and personnel can change over the course of months.

There are a number of helpful considerations to conducting successful interviews. First, prepare some questions for the interviewee in advance, so they may prepare and do some of their own research. Second, schedule the interview close to their office, and at their convenience. Third, keep the time as short as possible, but long enough to get the answers you will need: approximately 20–45 minutes. Be sure to leave some open time between interviews to collect your thoughts and prepare for the next one. And follow up with interviewees after analyzing and distilling the notes to confirm you have gained the correct insights.

The information you will be harvesting will vary depending on the interviewee's level and function. You will need to look for any hard data or reports that show performance and trends related to information asset risk. There may be benchmarking data available as well. Delve into information access and security policies, policy development, policy adherence, and the like. Ask questions about retention of e-mail and legal hold processes. Ask about records retention and disposition policies. Ask about privacy policies. Ask about their data deletion policies. Ask about long-term preservation of digital records. Ask for documentation regarding IG-related training and communications. Dig into policies for access to confidential data and vital records. Try to get a real sense of the way things are run, what is standard operating procedure, and also how workers might get around overly restrictive policies or operate without clear policies. Learn enough so that you can firmly grasp the management style, corporate culture, and appetite for risk, and then distill that information into your findings.

Key events and developments must also be included in the risk profile. For instance, a major data breach, the loss or potential loss of a major lawsuit, pending regulatory changes that could impact your IG policies, or a change in business ownership or structure must all be accounted for and factored into the information asset risk profile. Even changes in governmental leadership should be considered, if they might impact regulations impacting the organization. These types of developments should be tracked on a regular basis, and should continue to feed into the risk equation.¹¹ You must observe and incorporate an analysis of key events in developing and updating the risk profile.

When you get to this point, it should be possible to generate a list of specific potential risks. It may be useful to group or categorize the potential risks into clusters such as technology, natural disaster, regulatory, safety, competitive, management policy, and so forth. Armed with this list of risks, you should solicit input from stakeholders as to likelihood and timing of the threats or risks. As the organization matures in its risk identification and handling capabilities, a good practice is to look at the risks and their ratings from the previous years to attempt to gain insights into change and trends—both external and internal—that affected the risks.

Step 4: Create High-Level Strategic Plans to Mitigate the Greatest Risks

After identifying the major risk events the organization faces, and calculating the potential financial impact, the IG Steering Committee must develop possible countermeasures to reduce the risks, and their impact if they do occur. This means creating an information asset risk mitigation plan. Various risk mitigation options should be explored for each major risk, and then the required tasks to reduce the specified risks and improve the odds of achieving business objectives should be delineated.¹² Considering all the documentation that has been collected and analyzed in creating the risk profile and risk assessment, the specific tasks and accountabilities should be laid out and documented. The information asset risk mitigation plan must include key milestones and metrics and a timetable for implementation of the recommended risk mitigation measures. Some of the major tasks will include developing a robust and consistent security awareness training program, implementing a privacy awareness training program, acquiring new IT tools, developing risk countermeasure implementation plans, assigning roles and responsibilities to carry them out, and developing an audit and verification process to ensure mitigation actions are being taken and are effective.

A helpful exercise and visual tool is to draw up a table of top risks, their potential impact, actions that have been taken to mitigate the risk, and suggested new risk countermeasures, as in Table 4.1.

Table 4.1 Risk Assessment

What Are the Risks?	How Might They Impact Business Objectives?	Actions and Processes Currently in Place?	Additional Resources Needed to Manage This Risk?	Action by Whom?	Action by When?	Done
Breach of Confidential Documents	Compromise confidential information Compromise competitive position Compromise business negotiations	Utilizing ITIL and CobiT IT Frameworks Annual CIS Top 20 security assessment Published security policies Published privacy policies Annual security Audits	Hold security awareness training Implement newer technologies including Information Rights Management (IRM) Privacy Awareness training Implement Quarterly Audits	IT Staff, Chief Info Security Officer Chief Privacy Officer IT Audit	01/10/2021	06/1/2021

Step 5: Develop Strategic Plans into Specific Policies

The strategic plans will be high level and must be forged into everyday policies to embed IG considerations into daily operations. Creating or updating policies in multiple areas will be required, along with metrics to measure how well the information asset risk mitigation is being implemented. Some policy areas that may need to be reviewed include: privacy notice and privacy policy; e-mail policies, specifically when handling PII, confidential, or sensitive information; text messaging and instant messaging (IM) policies when handling confidential information; social media use policies; mobile device policies, especially when handling PII, confidential, or sensitive information; policies for the use of cloud computing platforms; if the organization uses SharePoint there must be updated governance policies on the appropriate use of the portal; personnel policies, especially when handling PII, confidential or sensitive information, and other areas as needed by a specific organization.

Step 6: Determine Metrics to Measure Risk Reductions from Mitigation Efforts

The IG program must be measured and controlled. Objective ways to measure conformance and performance of the program must be developed. This requires quantitative measures that are meaningful and measure progress. Stakeholder consultation is required in order that meaningful metrics are created.

Determining relevant ways of measuring progress will allow executives to see progress, as, realistically, reducing risk is not something anyone can see or feel—it is only in the failure to do so, when the risk comes home to roost, when the painful realizations are made. Also, tracking valid metrics help to justify investment in the IG program.

Assigning some quantitative measures that are meaningful and do, in fact, measure progress may take some serious effort and consultation with stakeholders. Determining relevant ways of measuring progress will allow executives to see progress, as, realistically, reducing risk is not something anyone can see or feel—it is only in the failure to do so, when the risk comes home to roost, when the painful realizations are made. Also, valid metrics help to justify investment in the IG program.

The proper metrics will vary from organization to organization, but some examples of specific metrics may be:

Reduce the number of stolen or misplaced laptops by 50% over the previous fiscal year
Reduce the number of hacker intrusion events by 75% over the previous fiscal year
Reduce e-discovery collection and review costs per GB by 25% over the previous fiscal year
Reduce the number of adverse findings in the risk and compliance audit by 50% over the previous fiscal year
Provide security awareness training (SAT) to 100% of the headquarters workforce this fiscal year, and maintain a continual education program
Roll out the implementation of IRM software to protect confidential e-documents to 50 users this fiscal year
Provide confidential “vanishing” messaging services for the organization's 20 top executives this fiscal year
Reduce the number of medical errors due to poor or untimely information by 10 percent over the previous fiscal year.

Your organization's metrics should be tailored to address the primary goals of your IG program, and should tie directly to stated business objectives.

Step 7: Identify Those Who Are Accountable for Executing the New Risk Mitigating Processes and Maintaining the Processes in Place

From the IG Steering Committee, specific individuals should be assigned to be held accountable for specific tasks that are set out in the information asset risk mitigation plan. Sometimes this may mean a small team; a subgroup of the larger IG Steering Committee is assigned accountability, since IG crosses functional boundaries. Generally, those individuals who have expertise in a certain area are best to assign accountabilities in their area. For instance, if the organization is planning on encrypting all PII when transmitted, as well as when at rest (stored), the RIM manager and Chief Information Security Officer (CISO) or IT representative will need to work together to roll out the new capability and to develop a training and communications plan. A good tool to use is a RACI (responsible, accountable, consulted, informed) matrix that pinpoints key accountabilities.

Step 8: Execute the Risk Mitigation Plan

Executing the risk mitigation plan requires that regular project team meetings are set up, and key reports on the information asset risk mitigation metrics are tracked to manage the process. Standard project/program management tools and techniques should be utilized, as they are proven. Some additional tools may be needed, such as leveraging data mapping software or perhaps developing an information asset register, advanced analytics, collaboration software, artificial intelligence (AI) software, knowledge management software, or even social media within the organization.

The most important part of managing an IG program is clear and regular communications, to keep the team updated and motivated, and to smoke out any rising problems or challenges. Everyone on the IG team must be kept up to date on the progress being made in the information risk reduction effort. Teams go through various stages of conflict and compromise, so do not expect that things will always go smoothly. Encouraging healthy conflict can yield positive results. But the executive sponsor and IG lead must have high levels of emotional intelligence to manage conflict in a positive way so that team members do not feel slighted when their ideas are not adopted as they proposed. The sum of the team's efforts should be emphasized.

Step 9: Audit the Information Asset Risk Mitigation Plan

Using the metrics you have developed, there must be a process in place to separately and independently audit compliance to information risk mitigation measures, to see that they are being implemented. The result of the audit should be a useful input in improving and fine-tuning the program. It should not be viewed as an opportunity to cite shortfalls and implement punitive actions. It should primarily be a periodic and regular feedback loop into the IG program.

It may be wise to use an internal auditor, or even an external auditor or consultant to measure the progress of the information asset risk mitigation plan, based on the metrics established by the IG team. The output of the audit process will provide useful input for fine-tuning and improving the program.

Information Risk Planning and Management Summary

To summarize, an information risk assessment can be compressed into five basic steps:¹³

Identify the risks: This should be an output of creating a risk profile, but if conducting a risk assessment, first identify the major information-related risks.
Determine potential impact: If a calculation of a range of economic impact is possible (e.g. lose $10M in legal damages), then include it. If not, be as specific as possible as to how a negative event related to an identified risk can impact business objectives.
Evaluate risk levels and probabilities and recommend action: Based on a prioritized list of information risks, assign probabilities, determine the potential impact, and develop countermeasures. This may be in the form of recommending new procedures or processes, new investments in information technology, or other actions to mitigate identified risks.
Create a report with recommendations and implement: This may include a risk assessment table as well as written recommendations, then implement.
Review periodically: Audit annually or semiannually, as appropriate for your organization.

CHAPTER SUMMARY: KEY POINTS

Information asset risk planning requires that the organization take a number of specific steps in identifying, analyzing, and countering information risks.
Major risks that organizations face include data breaches, ransomware, compliance violations, and legal risks. Also, internal bad actors.
Expected value calculations can help IG program managers rank risks.
In identifying information requirements and risks, legal requirements take priority over all others.
In the United States, the Code of Federal Regulations lists information retention requirements for businesses, divided into 50 subject matter areas.
The risk profile is a high-level, executive decision input tool.
A common risk profile method is to create a prioritized or ranked “Top 10” list of greatest risks to information. Other tools include risk maps and heat maps.
Once a list of risks is developed, grouping them into basic categories helps stakeholders to more easily grasp them and consider their likelihood and impact.
The risk mitigation plan develops risk reduction options and tasks to reduce specified risks and improve the odds for achieving business objectives.
Metrics are required to measure progress in the risk mitigation plan.
The information asset risk mitigation plan must be audited to provide feedback to fine-tune the program.

Notes

1. Elizabeth Snell, “The Role of Risk Assessments in Healthcare,” http://healthitsecurity.com/features/the-role-of-risk-assessments-in-healthcare (accessed February 1, 2018).
2. Eric Basu, “Implementing a Risk Management Framework for Health Information Technology Systems—NIST RMF,” Forbes, August 3, 2013, www.forbes.com/sites/ericbasu/2013/08/03/implementing-a-risk-management-framework-for-health-information-technology-systems-nist-rmf/#23e63d46523a.
3. “2018 Cost of a Data Breach Study by Ponemon,” https://www.ibm.com/security/data-breach (accessed August 22, 2018).
4. Thomas Fox-Brewster, “Medical Devices Hit by Ransomware for the First Time in U.S. Hospitals,” Forbes.com, May 17, 2017, https://www.forbes.com/sites/thomasbrewster/2017/05/17/wannacry-ransomware-hit-real-medical-devices/#2fc718b9425c.
5. Ibid.
6. U.S. Government Publishing Office (GPO), “Code of Federal Regulations,” www.gpo.gov/help/index.html#about_code_of_federal_regulations.htm (accessed March 6, 2016).
7. “ISO 31000 2009 Plain English, Risk Management Dictionary,” www.praxiom.com/iso-31000-terms.htm (accessed March 25, 2013).
8. John Fraser and Betty Simkins, eds., Enterprise Risk Management: Today's Leading Research and Best Practices for Tomorrow's Executives (Hoboken, NJ: John Wiley & Sons, 2010), 171.
9. Ibid., 172.
10. Ibid.
11. Ibid., 179.
12. Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide), 4th ed., ANSI/PMI 99-001-2008, pp. 273–312.
13. “Controlling the Risks in the Workplace,” Health Safety Executive, www.hse.gov.uk/risk/controlling-risks.htm (accessed March 6, 2016).

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.