Risk Management Studio

More and more the business terms information security and cybersecurity are used interchangeably. The media and recently elected government officials are dumbing down the world of security, specifically the protection of information in all forms. It seems daily, that the major news outlets in all countries are reporting cyberattacks organizations of all types. Social media is constantly buzzing with the latest cyberattack on well known companies or the latest list of hacked emails being circulated to expose someone.

But are information security (infosec) and cybersecurity (cybersec) synonyms? In order to best answer that question, let's explore what each term means to us today and how they came to be a part of everyday language.

According to the Oxford Dictionaries online the definitions of these terms are very similar with one small exception:

Information security – “The state of being protected against the unauthorized use of information, especially electronic data, or the measures taken to achieve this.”

Cybersecurity – “The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.”

To highlight the small difference between the two definitions, recognize that cybersec (cybersecurity) relates purely to digital or electronic and infosec (information security) relates to any form of information assets, digital or paper. The prefix cyber is defined as relating to or characteristic of the culture of computers, information and communication technology (ICT), and virtual reality. Interestingly, cyber hasn’t always been associated with the digital age.

Read more: full text

Lean Thinking Applied to ISO 27001:2013

What has changed since the release of the 2013 revision for ISO/IEC 27001, the internationally recognized standard for information security management systems (ISMS) in enterprises of all industries and sizes? Since this was a revision to the previously released ISO/IEC 27001:2005 Standard, enterprises had a grace period for the certification to the newly released standard.

The previous versions of ISO 27001 clearly required the use of the Deming cycle or Plan-Do-Check-Act (PDCA) cycle for the continual improvement of the ISMS, but now other methodologies such as Lean and Six Sigma may be utilized instead. The change to the 2013 revision clause 10.2, Continual Improvement, is vaguer than it is assuring. Even organizations beginning the journey to certification of ISO 27001 will need to choose the best continual improvement process for their business and this may cause issues if the leadership disagrees about the ‚best‘ method.

Is it time to throw away all the work the enterprise has been doing and start fresh with a new method? Possibly, if your enterprise is restructuring or merging and the potential for excess systems, processes and people will limit the short and long term gains expected by the major changes. But as the popular cliché „if it ain‘t broke, don‘t fix it“ states, the need to use something new isn‘t necessarily the best decision.

The PDCA Cycle

Interestingly enough, Dr. W. Edwards Deming introduced the PDCA cycle to Japan at a Japanese Union of Scientists and Engineers (JUSE) in 1950, which was a modified version of the scientific method that traces back to Galileo in 1600‘s introduced by Walter Shewhart in 1939. The Japanese referred to this method as the Deming wheel and it was a major influence on the modern manufacturing in Japan leading to the highly regarded Lean Management thinking of Toyota popularized in the book The Machine that Changed the World by Womack, Roos and Jones (1990).

In the 80‘s Dr. Deming introduced to the Western World an evolved version he believed was more relevant to modern times, called the PDSA Cycle. The „Model for Improvement“ was the name of this cycle and the change of the ‚C‘ for ‚Check‘ to ‚S‘ for ‚Study‘ was to provide a clear understanding that the use of the cycle is best suited for learning and improving through an evolutionary process. In short, one must learn from the cycle in order to make the improvements that naturally yield desired results.

Enhancement is a term that represents improving what exists and that is the best course of action when discussing the quality and effectiveness of a risk management process for ISMS. Just as the tried and true scientific method developed by Galileo evolved over time, the effectiveness and continual improvement of ISMS can also benefit from a few intelligent modifications leading to a shorter implementation timeframe and higher quality of execution.

Lean Thinking

Why not apply Lean principles to the existing ISMS and risk management strategy when implementing the guidance provided by ISO 27001? The ISO 27001:2013 Standard is regarded as one of the best models for a successful implementation of ISMS in enterprises. The application of Lean Thinking and techniques to the implementation process will not only aid in increasing efficiencies, but also reduce wastes and improve the capabilities of the individuals involved (in most cases a successful ISMS involves everyone in the enterprise). This is not an endorsement for a full Lean implementation in your organization, but an intelligent nudge to evolve the thinking and actions of the crucial participants.

Now that you’re bought in, what is Lean? The narrow definition is improved tools and cost cutting, but the broader definition is enhanced thinking applied systematically to the entire enterprise and supporting business systems.

Lean is based on five principles that flow into one another and are continuous. The application of the five principles will vary depending on where the organization is when deciding to enhance the risk management strategy. Here are the 5 principles and there application to risk management:

Principle One: Specify Value "Value" is the critical element in thinking Lean. Everything about Lean is to promote more value from within. You need to identify the highest stress points threatening value throughout the ISMS.  By determining the value on specific goods or services or combinations of them we can start to understand where to enhance value.

Principle Two: Identify and map the Value Stream "Value stream" is the specific set of activities needed to carry a specific product (goods, services or a combination of both) to the ones who need it. Identifying and removing the steps that don‘t add value are also a crucial element of mapping the Value Stream. For example, a quality ISMS has the IT architecture mapped, but the efficiency and convenience are rarely top priorities. Taking into account the Lean principle for mapping the Value Stream, the enterprise can align the IT (high value) with a more efficient delivery system (value stream) to the customers (employees of the enterprise). In order to do this phase in a successful manner, we need to have transparency for a full view of related activities with an effect on one another.

Principle Three: Continuous Flow "Flow" is the third step in Lean Thinking and the idea is to make the value-creating steps in tight sequence for a smooth flow of information. The risk management point of view puts this principle to the test, as the ISMS needs to provide a smooth flow of information but must also provide protection along the journey. “The lean alternative is to redefine the work of functions, departments, and firms so they can make a positive contribution to value creation and to speak to the real needs of employees at every point along the stream so it is actually in their interest to make value flow.” (Womack & Jones, 2003, p.24)

Principle Four: Establish Pull The "Pull" principle states that as "Flow" is introduced, information access levels are required to maintain integrity. This may present the most challenging adaptation, but the idea is simple. In terms of Lean Thinking for ISMS secure all information until it is needed by someone with an approved access level for the data. The Pull mechanic is also a valuable process for gathering and reviewing information, especially by the decision makers.

Principle Five: Seek Perfection "Seek Perfection" is the fifth principle in Lean Thinking and it is simply understood as continuous improvement for everything: people, process, policies, reporting, transparency, and expectations. The fifth principle also brings us back to the first principle, Identify Value, thus completing the wheel. Seeking perfection can be a tricky principle to apply, as it requires that vast majority of your co-workers to raise their level of awareness, knowledge, and willingness to follow the policies and controls being put into place. In risk management for ISMS you can begin to review the control implementation from a higher level by assessing the maturity by determining if the control is being executed regularly by all parties involved. You should also begin to evaluate the effectiveness of the control implementation. For any implemented control that doesn‘t meet your expectations, a best practice is to set the level of expected execution and assign someone to be responsible for achieving the desired level of execution by a set date. Essentially by using this exercise to self-audit your ISMS implementation you are fulfilling a task for the ISO 27001 certification, as well as preparing yourself for repeating the 5 step thought process (5 principles) to move closer to perfection.

Repeating the 5 step process may expose the hidden waste in the value stream or reveal obstacles to the flow of information. The ISMS or risk management teams need to be in closer contact with other employees in order to better understand the real-world issues preventing the expected level of execution. Transparency of assessment and audit results shared with everyone on a frequent basis will increase knowledge and help the employees discover better ways to create value. An additional key benefit is rapid and positive feedback for employees making improvement, a key feature of Lean work and a powerful motivator to continuing efforts to improve.

Lean Thinking applied to Information Security Management Systems

Applying the 5 Principles of Lean Thinking to your ISMS and ISO 27001 projects can be intimidating at first, especially if you are unfamiliar with the Lean way of thinking and project management. We encourage you to seek out more information on Lean management and use your own intelligence to apply some of the best practices to your business.

We have designed RM Studio to be a dynamic risk management toolkit based on the methodology of ISO 27005. RM Studio is designed to help your enterprise organize and simplify the ISO 27001 certification process and cement the best practice behaviors into everyday use.

IT Vendor risk assessments - ISMS & ISO27001 audits depend on high quality evals for compliance.

The all-pervading Information Technology (IT) has brought unfathomable changes to the ways global business work today. While IT itself has grown by leaps and bounds, bringing newer business technologies with the passing of every quarter, if not month, it has also ensured the successful exploration of fresher avenues in business operations – from everyday activities to trend forecasting and from compliance to customer service. The IT road to success though has hardly been rosy.

Evolving technology bringing in numerous devices coupled with the rising penetration of social media is rendering the cybersecurity space vulnerable. One of the key segments that have remained exposed is the third party service – an aspect that is as ubiquitous as the IT. Although the susceptibility varies based on the industry, no enterprise dependent on service providers is immune to data breach at the vendor’s end. Risk incidents involving vendors continue to be in limelight, affecting both large and small business establishments. On the other hand, the rising cost of breach penalties is costing businesses their fortunes.

Inadequately protected vendor IT infrastructure leading to the theft of sensitive consumer data has impacted institutions in innumerable ways. While information security breach and the resultant lack of confidence in the organization’s ability to safeguard data turn the customer away for good, it is followed by irreversible loss of reputation and business. Then there is the regulatory scrutiny which is increasingly working towards slapping hefty penalties.

Regardless, third party service providers continue to be a key component in the global business environment. Vendors will continue to hold the key as IT is not the core competency of all businesses that drive the world business cycle. Healthcare, retail, financial, etc. industries need to depend on IT service providers to make their infrastructure functional. Thus a vendor’s IT capacity becomes the custodian of an organization that stores and processes consumer information.

Concerns and countermeasures

The concerns in vendor risk assessment arise from multiple factors, which are often interlinked and combine to render the defense put in place, if any, ineffective. For one, organizations are found lacking in adequate decision-making insights key for preferring one vendor over the other. This is often accompanied by a tendency to overlook crucial parameters in the service provider’s defense system, its culture and the resultant capacity to defend sensitive consumer data.

Enterprises usually go by past record and present reputation of a third party. While this could be the main deciding factor while choosing a service, lack of past breach history does not make it breach-proof for the future. A detailed and independent analysis should play the decisive role. It is by no means an easy proposition, but a sincere attempt would surely unfold some key information. Further, periodic assessment and review of the security scenario could never be exaggerated.

Spending capacity and intention also play a crucial part in vendor sourcing. While no organization would like to stretch the capacity, what is baffling is the intention of those capable of allocating adequate amount. Companies belonging to the later group view IT expenditure on vendor management as a burden that should be managed as cheaply as possible.

In the process, these companies end up tying up with not-so-well-equipped third parties. There is no denying that financial crunch clip IT spending capacity across sectors. However, it should not make organizations compromise on information security as data breach at the vendor’s end is as equally punished as in the case of in-house risk events.

The reliance on vendors is only going to increase due to the evolving nature of the business space. It also means an increasingly unavoidable scenario of risk exposure. Organizations across business segments have been found to be lacking in capacity to resolve son enough after an issue is discovered. Also, several institutions exhibit inefficiency to tackle situations post an information security breach. While it is no easy task to keep composure after inescapable loss of business and reputation, diligently nurtured true risk management policies and procedures will enable organizations to reasonably protect themselves against adverse information security risk incidents at the vendor’s end. 

The advancement of technological innovation has armed attackers to expose cyber vulnerabilities inherent in networks and systems that handle sensitive information. Once believed to be exclusively designed and executed for military purposes, the realm of cyber warfare is fast expanding to include civilian industries. Menacingly, advanced information technology expertise and superior executional skills of cyber reconnaissance rogues are far outpacing policy developments and forging of combined international strategies, if any.

Interestingly, most countries try to project being passive victims, but a careful consideration reveals that an increasingly large number of countries are actively targeting opponents’ commercial and security-specific information. While state-sponsored attacks are less frequent, counts of espionage and sabotage from individual groups are on the rise. However, the most sophisticated sabotage are carried out by states directly or via hackers supported by the state.

Security company Symantec has detailed how a sophisticated and multi-stage piece of malware, Regin, has been in use since 2008 as a mass surveillance tool. Believed to be a nation state espionage tool, Regin “has been used in spying operations against governments, infrastructure operators, businesses, researchers, and private individuals.” Loaded with stealth features that are highly complex and work for several years, the malware targets ISPs, Exchange servers, and the commercial and military aviation, hospitality and energy sectors, among many others. “Even when its presence is detected, it is very difficult to ascertain what it is doing.”

Frankly, the consequences of state-sponsored cyber warfare are now gradually crossing the mark of just being politically painful for the affected country. The sabotage of Sony’s Pictures Entertainment division computer infrastructure involving hackers calling themselves Guardians of Peace has led to the release of wave of data files containing thousands of classified emails and sensitive personal information of thousands of past and present Sony employees. Speculated to be done as a ‘retaliation’ for the movie The Interview – a lampoon that depicts the assassination of Kim Jong-un, the present North Korean supreme, the Sony episode has reignited the old enmity between Pyongyang and the Pentagon.

The White House calls the attack “cybervandalism” and has promised to respond “proportionately” while it is also viewed as “one of the most destructive cyberattacks on American soil.” The National Defense Commission in North Korea on the other hand warned that its 1.2 million-member army is ready to use all types of warfare against the United States, including “the whole US mainland” for “recklessly” blaming North Korea for the cyber attack – the first instance that the US has directly implicated another country. After things developed, North Korea experienced Internet and mobile network outages about which the White House is reluctant to comment, while the reclusive country has blamed the US accusing its head of acting “like a monkey in a tropical forest.”

Interestingly, while proliferating attacks are bringing newer avenues to the fore, it is also unmasking the weakness of responsible agencies, even with international coordination, to prevent risk events. An investigation exhibits how “not the Americans, not the Brits, not the Indians” could “put together the whole picture” to prevent the Mumbai mayhem on November 26, 2009, despite having credible clues.

The analysis reveals that “although electronic eavesdropping often yields valuable data, even tantalizing clues can be missed if the technology is not closely monitored, the intelligence gleaned from it is not linked with other information, or analysis does not sift incriminating activity from the ocean of digital data.” A former senior US intelligence official admitted, they “didn’t see it coming” as they “were focused on many other things.”

Not foreseeing a potential threat has been one of the chief detriments rendering risk management strategies ineffective while concentrating on “other things” has more often partially blinded the purpose of a holistic risk management approach. A comprehensive cyber security risk management strategy is of vital importance as it enhances operational efficiency, which, in turn, facilitates risk mitigation and ensures rapid response after a risk incident. It also entails a sure-shot belief cyber threats cannot be eliminated in their entirety, and that, therefore, this type of risks must be managed by building a strong operational risk management framework. This is especially true – as we have seen above – because the boundaries of cyber warfare risk are no longer limited to technology.

Although the common challenges to effective risk assessment applies to cyber warfare risk management, to successfully execute a cyber security strategy it is necessary to identify the information or ‘the areas’ that need to be protected. Sound risk management principles help to overcome the barriers by ensuring that systems, network, email and other all other involved tools are constantly evaluated. Implemented efficiently, proper risk management practices will also help in foretelling the effects of a successful cyber breach. Such an estimate will aid in minimizing exposure and assist in rapid response and recovery post disaster.

Businesses and industries need to implement risk management practices to mitigate cyber warfare risks and sustain business continuity in the risk-intensive world and hope that countries will walk towards meaningful cooperation to build accountability and the subsequent response, soon!

Risk Management Studio is a risk management toolkit combining information security and technology risk management with business continuity planning for one easy to use solution. RM Studio is a turnkey deployment design that will immediately streamline the operational risk management for the implementation and maintenance of effective and efficient ISMS, as well as meet the compliance requirements outlined in management standards such as ISO 27001:2013 and PCI DSS 3.0.

As organizations embrace technology, competitive pressures, and globalization to drive business growth, they are redefining success to include the responsibility of restoring economic stability. While some enterprises are moving forward by creating strategic value, a large proportion has failed to effectively measure and manage business performance. Organizations aspire to create a culture of performance based on accountability, intelligence and informed decision-making. By combining structured and unstructured data, gleaned from efficient use of information technology, businesses are trying to ensure the delivery of strategic priorities and goals.

However, due to the absence of mature IT risk management principles organizations are failing to sustain business performance in the risk-intensive world. Failures also originate from non-attachment of adequate importance to the critical role IT risk management plays within the overall risk framework. While an evolved technology risk management helps in identifying, assessing and prioritizing a wide variety of threats involving hardware and software, human error, viruses and malicious attacks, and a poor risk approach exposes the entire business process to several unpredictable endogenous and exogenous factors.

Unfortunately, a steady stream of large-scale technology-related risk events is striking enterprises around the world. In a recent attack, hackers targeted Sony Pictures Entertainment computer network, forcing the global electronics giant to shut down its systems. While the sophisticated attack disrupted operations with recovery time estimated at more than three weeks, the firm has been threatened with unleashing all “internal data including secrets and top secrets”. The incident follows attacks on Sony’s PlayStation game console which has been termed “massive, expensive and absolutely embarrassing.”      

Attacks affecting evolved IT infrastructure represent the growing sophistication of threats and the heightened vulnerability of mid-tier and small businesses’ network structure. IT breach entails damage to reputation, consumer trust and profitability – all integral components of business performance, restoration of which to the previous levels is almost never achieved. Therefore, companies should incorporate mature IT risk management strategy to continue driving business performance, by doing the following:

Improve security: To ensure that an organization’s technology elements contribute to sustaining business performance, it’s a prerequisite that the overall IT environment is adequately protected. It involves securing all software and hardware properties in compliance with regulatory recommendations. Simple steps such as enhanced password policy, regular data back up and software update, and securing remote storage, network connections and servers are vital.

Train Staff: While taking measures for improving the overall IT security are to be viewed as a basic necessity, staff training to handle advanced systems enables the safeguarding of the systems. Insufficiently trained employees entrusted with operational responsibilities fail to execute day-to-day duties, do not foresee any impending threat and fail aid in resolving issues after breach occurs. Also, adequate training boosts employee confidence which contributes to creating a healthy risk culture within an organization.

Identify and analyses risks: Risk identification refers to recognizing any potential threat, intuitively, by logical reasoning and by using past experience. In the Sony example cited above, intermittent adverse events happening over the past few years should have enabled proactive identification of any imminent threat. Analyses of a potential disaster entail determining the scale of impact on business performance. Risk identification and efficient analysis are inseparably linked as faulty or non-identification renders the entire risk practice ineffective.

Prioritize, mitigate and review: Skillful evaluation allows risk managers to prioritize risk treatment based on their potential impact on business performance. IT risks, similar to infrastructure security threats, do not represent opportunity that requires managing them in tune to the risk appetite of the organization. Therefore, mitigation in a mature IT risk strategy should mostly refer to elimination or forestalling of risks. A successful IT risk program equipped to drive business performance comprises periodic review of the risk plan. Reviews of systems and processes facilitate customization of implementation strategy and streamlining budget allocation while ensuring that the culture of risk is ever present.

Build response and recover

Thanks to the rising competition and constantly changing economic scenario, business planning is no longer a one-time exercise. Regular reviews and revisions of the goals as well as the means to achieve the objectives are becoming increasingly important in business planning. For startup businesses, planning involves a bouquet of careful approach to walk through the uncertainties. Business planning for existing enterprises entails disciplined strategies that support sustainability efforts to steer ahead with goals. While business planning for both the types involves multitude of unique activities, integrating technology risk management into the overall framework is of paramount importance for both business types.

Why to adopt technology risk management

In the present scenario of risks acquiring new forms to negatively impact business performance, enterprises – big or small, startups or existing – must embed technology risk management into business planning. As business planning involves a number of disparate elements that require relentless realignment, the use of technology allows greater control. While these factors vary from business to business and give rise to risks unique to the industry, they also vary depending upon the enterprise size, its strategies, its goals and the ways the business performs.

To avoid greater complexity and ensure a streamlined process, business planning should view risks either as internal or external. While internal risks arise because of the way the function, external threats come from factors businesses have no or little control over. However, to ascertain sustaining business in the risk-intensive world, it is imperative for enterprises to develop strategies to confront and counter both internal and external risks, by integrating technology risk management into business planning. These strategies must continue to evolve alongside reviews and revisions of business planning.

Moving forward with technology

Surprisingly, there are establishments that plan to move forward by implementing a spreadsheet based approach. These institutions fail to see that capturing planning information with manual input is cumbersome and time consuming in addition to being mistake-prone. As the business moves forward, a technological approach acquires greater significance. The use of traditional applications like this offer some analytical benefits at an early stage. They cannot substitute an advanced application that comes with innovative features, offer a vast array of price points and can be accessed at geographically distributed locations.

Incorporating an efficient technology risk management framework affords competitive advantage to drive faster growth and greater innovation. In addition to identifying and mitigating financial, operational and regulatory risks, the adoption of technology risk management approach enables enterprises to stay prepared for any unforeseen risk events that could potentially devastate the business by draining finances and ruining reputation. Technology-driven principles allow institutions to acquire foreknowledge of potential threats, thereby allowing managing the risk well, transferring it or forestalling it, depending on the organization’s risk appetite as well as the industry it belongs to.

Reaping prolonged benefits

While a mature technological tool that could be used to its utmost potential enables the integration of all elements involved in business planning, reaping prolonged benefits of integrating technology risk management into business planning depend on some more factors. They include: Risk identification, early integration of technology, resource allocation, continuous evaluation and proactive risk mitigation.

Among the common challenges to risk assessment, threat identification plays a critical role because just as internal and external risks to a business are of numerous types, so are risks specific to the business type both due to belonging to particular industry and because of the ways the business performs its functions. The process of risk identification, in addition to detecting the risks themselves, must identify the vulnerable processes and systems, the failure of which disrupts operations.

Technology tools embedded early into the overall IT infrastructure prove to be more beneficial as they allow better integration, thereby enhancing operational efficiency. Often cost-effective, they are useful than those superimposed on existing structures. Being well accepted, they help early avoidance, transference, and mitigation of risk events. Resource allocation refers to earmarking the necessary funds to procure IT systems and their up-gradation. It also includes hiring competent employees and entrusting the most significant responsibility to the most adequate employee.

Dealing with risk requires an acceptance that it never goes away. Continuous evaluation of systems and procedures allows businesses to detect risks early, before any damage is done. Continuous assessment helps to evaluate a business’ stance on procedures and controls. This, in turn, ensures regulatory compliance, by prioritizing public safety and operations maintenance. Adequate integration of technology risk management into business planning works as an enabler of proactive risk mitigation. Proactive risk management, as opposed to a protective approach, unmasks the actual threat and resolves it. Integration of technology risk management principles serve as a building block for business planning to lead to business continuity.

Additional articles on Information Security by Risk Management Studio:

Anthem Breach - Sophisticated Heist vs. Sloppy Security

Putting Risk Management into Practice: Challenges and Opportunities

Risk Management Studio is a risk management software toolkit combining IT risk management and business continuity management into one easy use solution. RM Studio is a turnkey deployment design that will immediately streamline the operational risk management for the implementation and maintenance of an effective and efficient ISMS, as well as meet the compliance requirements outlined in management standards such as ISO 27001:2013 and PCI DSS 3.0.

"in underground markets health insurance credentials are sold $20 each with an additional $20 for the associated dental, vision, or chiropractic plan information"

http://goo.gl/sFpYm6

According to a Brown University research there has been an increase in the number of infectious disease outbreaks over the past 33 years. The report that analyzed more than 12,000 outbreaks affecting 44 million people globally found the increase in unique illnesses ...

Here is our latest newsletter: