Information Risk

1
Information Risk Senior Management position

• Vernon Poole - Sapphire

2
Information Risk and Corporate Governance

• Good corporate governance demands sound processes
  for managing risk
• But theres no single method for managing all
  risks
• and few organisations have a sound method of
  managing information risk which is one of the
  biggest and fastest growing areas of risk

Cadbury
Hemple
GLBA
Turnbull
Sarbanes Oxley
Higgs
Initiatives in corporate governance
3
Management need to be more active in managing all
risks
Top management

• External pressure from
• Regulators
• (e.g. financial, health safety, auditors,
  Government)
• Shareholders/stakeholders
• Business/service partners
• Customers
• Public

Risk management processes
Political risk
Safety risk
Credit risk
Market risk
Information risk
4
What information risk means, exactly
Nature and level of harm
Probability of suffering harm
Information risk is the chance or possibility of
harm being caused to a business as a result of
a loss of the confidentiality, integrity or
availability of information

• Exists in varying forms
• held in peoples heads
• communicated face-to-face
• recorded in deeds and other securities
• entered into, stored, processed, transmitted and
  presented via IT

key properties of information to be protected
The method of protection depends on the form of
the information
5
The chance or possibility of suffering incidents
is high
Information incidents are a feature of daily
business life, and theres a high chance of
suffering a MAJOR incident
Av. no. of incidents suffered/p.a. per
information resource of information resources
that suffered a MAJOR incident
100
400
334
75
300
276
58
56
55
220
55
52
50
200
147
88
25
100
0
0
Business applications (260)
Communications networks (159)
Computer installations (247)
Systems development activities (115)
Overall average(781)
Collectively known as information resources
Analysis of incidents affecting 781 information
resources. Results published in Driving
information risk out of the business and
Information risk reference guide Information
Security Forum.
6
The level of harm can be substantial
A sample of 253 worst-case incidents reduced the
value of the businesses concerned by 1.4
million, on average. Impact of identified
incidents included

• 200 million of sales lost
• 105 million could not be recovered
• 5,000 customer queries unanswered
• 20,000 emails permanently lost
• 400,000 stolen
• confidential data belonging to key business
  partners destroyed
• 40 fraudulent fund transfers from client accounts
• 3,100 wrong entries on customer accounts
• 5.25 million of IT equipment destroyed and
  business data unavailable for 4 weeks
• 4,000 staff disrupted

Details of major incidents extracted from It
could happen to you a profile of major
incidents Information Security Forum, and
analysis of 253 worst-case incidents published in
Driving information risk out of the business
Information Security Forum
7
How information risk influences other business
risks
Market risk (ie factors beyond the control of
management such as interest and currency rates)
Financial risk (eg uncertainties about projected
earnings or expenditure)
Operational risk (eg information risk, theft,
fraud, loss of facilities or key employees).
Information risk intensifies all business risks,
since information is needed to manage each one
Information risk is an increasingly important
component of operational risk
Information risk

• Information risk status reports
• Identity of key assets (equipment, facilities and
  employees)
• Status of continuity arrangements

• Borrowings and investment positions
• Projected rates of interest
• Projected cash flows
• External developments

• Sales forecasts
• Forecast expenditure
• Actual sales and expenditure
• Key variances

Information needed to manage each risk
8
Getting information risk under control
Business (including security) requirements

• Threats to the confidentiality, integrity or
  availability of information
• unintentional
• deliberate

Loss of confidentiality, integrity or
availability of information
Business system
Impact on the business
PREVENTION
RECOVERY
DETECTION
Information
Prevent incidents happening, as far as possible
Facilitate recovery from incidents
Detect incidents that slip through
Arrangements for protecting information - grouped
into control areas

• Policies and standards
• Ownership
• Organisation
• Risk identification
• Awareness
• Service agreements

• User capabilities
• IT capabilities
• System configuration
• Data back-up
• Contingency arrangements
• Physical security

• Access to information
• Change management
• Problem management
• Special controls
• Audit/review
• (Business practices)

9
Other key terms
Arrangement or Control a policy, method,
procedure, device or programmed mechanism
designed to protect the confidentiality,
integrity and availability of information (e.g.
data back-up), or that otherwise influences the
level of protection provided (e.g. operator
training and supervision).

• Information incident an event (or chain of
  events) that compromises the confidentiality,
  integrity or availability of information e.g.
• malfunction of software or hardware
• loss of services, equipment or facilities
• overload
• human error
• unforeseen effects of change
• access violation.

'Ownership' not easy to pin down as information
is used for different purposes in individual
systems
IT-based information resources
Business impact easy to assess
'Ownership' generally easy to identify
Business impact hard to assess if multiple
applications are supported
Systems development activity
Computer installations
Communications networks
10
Good controls drive down the volume of incidents
The average number of incidents suffered a year
is halved when controls are in good, all-round
condition
300
259
200
Average number of incidents suffered over a year
135
100
0
Information resources with controls in good,
all-round condition
Information resources with controls NOT in good,
all-round condition
Analysis of some 210,000 incidents affecting 844
information resources covered by the Information
Security Forums Security Status Survey.
11
Why reducing the volume of incidents is important
Eliminating minor incidents is important, since
the chance of suffering a MAJOR incident climbs
as the number of minor incidents increases
80
60
that experienced a MAJOR incident over a year
40
20
0
1
11-50
51-100
2-10
100
Information resources categorized by number of
incidents suffered over a year
Analysis of incidents affecting 844 information
resources covered by the Information Security
Forums Security Status Survey.
12
Good controls lead to big savings
Controls that are in good, all-round condition
dramatically reduce the financial impact of
worst-case incidents
1.0m
0.74m
Average financial impact of worst-case incidents
suffered over a year
0.5m
0.05m
0m
Information resources with controls in good,
all-round condition
Information resources with controls NOT in good,
all-round condition
Analysis of 244 worst-case incidents for which
financial data was provided covered by the
Information Security Forums Security Status
Survey
13
Good controls slash the odds of suffering major
incidents
Controls that are in good, all-round condition
reduce the probability of experiencing MAJOR
incidents by more than a factor of four
75
63
50
of information resources that suffered a major
incident over a year
20
25
0
Information resources with controls in good,
all-round condition
Information resources with controls NOT in good,
all-round condition
Analysis of incidents affecting 663 information
resources covered by the Information Security
Forums Security Status Survey.
14
The secret of driving information risk down
What drives risk down is not statistics its
BEHAVIOUR
Commitment from the top
Good management
Individual ownership
Disciplined relationships
Specialist know-how
Systematic risk assessment
Active driving force
Clear rules
Independent review
Disciplined handling of changes
Sound environment
Sound basic practices
Operational things done right
Controlled access to system capabilities
Other obvious risks controlled
What determines BEHAVIOUR is management
commitment the skills, rules procedures
applied on the ground
15
Managing information risk down
Organisations Information risk status
Top management
Security or risk manager
Information risk management
Reporting requirements
'Owners'
Information risk status of individual systems
Critical information resources
16
Workshop Task

• In your workshop teams, you final task is to-
• Prepare your top 5 priorities that management
  need to be aware of act upon (please rank in
  priority order) be prepared to discuss these
  with the strict CEO his very experienced CISO
• You need to be able to justify defend each
  priority - win their support buy-in
• Also, consider two other priorities that did not
  make your top 5
• Good Luck!!