The growing complexity of today’s interconnected systems has not only increased the need for improved information security, but also helped to move information from the IT backroom to the executive boardroom as a strategic asset. And, just like the tip of an iceberg is all you see until you run into it, the risks to your information are mostly invisible until disaster strikes.
Detailing procedures to help your team perform better risk assessments and aggregate results into more meaningful metrics, Practical Risk Management for the CIO approaches information risk management through improvements to information management and information security. It provides easy-to-follow guidance on how to effectively manage the flow of information and incorporate both service delivery and reliability.
- Explains why every CIO should be managing his or her information differently
- Provides time-tested risk ranking strategies
- Considers information security strategy standards such as NIST, FISMA, PCI, SP 800, & ISO 17799
- Supplies steps for managing: information flow, classification, controlled vocabularies, life cycle, and data leakage
- Describes how to put it all together into a complete information risk management framework
Information is one of your most valuable assets. If you aren’t on the constant lookout for better ways to manage it, your organization will inevitably suffer. Clarifying common misunderstandings about the risks in cyberspace, this book provides the foundation required to make more informed decisions and effectively manage, protect, and deliver information to your organization and its constituents.
Introduction: Why Risk Management?
Liability
Personal Data Disclosed or Stolen
Intellectual Property Lost or Stolen
Wrong Decisions Made
Liability Risks
Service Delivery
Transaction Centric
Information Centric
Risks to Service Delivery
Risks to the CIO
PRINCIPLES AND CONCEPTS
Overview
Market Risks
Budget Risks
People Risks
Technology Risks
Operational Risks
Information Risks
Control Risks
Detection Risks
Risk Treatment
Basic Concepts, Principles, and Practices
Concepts
Risk IT Framework Principles
ISO 31000 Risk Management Principles
Other Risk Management Principles
Summary: Risk Management and Risk IT Principles
Information Security Principles
Accountability Principle
Awareness Principle
Ethics Principle
Multidisciplinary Principle
Proportionality Principle
Integration Principle
Timeliness Principle
Assessment Principle
Equity Principle
Information Management Principles
Value
Life Cycle
Reuse
Proliferates Quickly
Dependencies
Principles
Risk Assessment, Analysis, and Procedures
Making Decisions: Fact or Fiction? How Do You Decide?
Confidence Ranking Process
Facts
Calculations
Estimations
Guesses
Risk Management Starts with the Individual
Managing Risky People
Risk Management Profiling and Risk Culture
Measuring Risks or Uncertainty
How to Measure Risks
Identify the Risk
Consensus of the Risk
Analysis of Risk
Mitigate the Risk
Monitor the Risk
Reassess the Risk
Performing a Risk Assessment
Team or Committee Selection
Step 1: Define Parameters
Taxonomy of Risk Types
Scope, Time Frame, Complexity, and Stakeholders
Step 2: Identify Risks and Impacts
Step 3: Consensus of Risks and Impacts
Step 4 Risks and Impacts Analysis
Step 5: Prioritize Risks and Impacts
Step 6: Review Existing Controls
Step 7: Risks and Impacts Mitigation Analysis
Step 8: Costing, Prioritization, and Decisions
Step 9: Implementation
Step 10: Review
Metrics
User Experienced Metrics
Best Practices
Principles and Concepts: Section Summary
Part II: SERVICE DELIVERY
Product Management
Products You Deliver as a CIO
Information Delivery: How Information Flows in Your
Organization
Organizing IT for Information Delivery, Management, and Protection
Process Management
Project Management
Projects
Risk Ranking
Vulnerability Scanning
Reporting
IT Service Management
Opportunity Capacity
Reporting on Service Delivery
Service Delivery: Section Summary
LIABILITIES MANAGEMENT
Information Management
The Value of Information
Classify Your Information: Value and Categories
Value/Sensitivity of Information
Categories of Information
Controlled Vocabulary, Taxonomies, Keywords, and Search
Controlled Vocabularies
Summary
Identify Information Assets
Information Has a Life Cycle
Database Information Life Cycle
Information Flows
Information Flow Analysis
Information Management Strategy
Designing Information Management across Large Organizations
Steps to Better Information Management
Information Protection
Security Controls
Essential Controls
Personnel (Includes Management and Operations)
Technology
Information
Ingress
Egress
Database Security and Monitoring
Defense in Depth
Audit and Compliance
Documentation
Information Security Architecture
Reporting on Information Security
FISMA, NIST, and FIPS
Why
What
Specifications for Minimum Security Requirements
How
Payment Card Industry Data Security Standard
Analysis of Good Information Security Practices
Employee, Hacker, Insider, or Outsider
Insiders
Employees
Partners
Contractors
Outsourced
Insider Threats
Insider Controls
Outsiders
General Public
Hackers
Customers, Clients, Others
Outsider Threats
Outsider Controls
Data Loss Prevention/Information Knowledge Leakage
Database Solutions
Network and End-Point Solutions
Portable Device Control
Defining the Risk
Deploying DLP Solutions
Paper: Print, Keep, Shred
E-Discovery
Rules and Obligations
Standard of Proof
E-Discovery Process
Information Management
Collection and Preservation
Production
Presentation
Summary of E-Discovery
Privacy
Policies and Procedures
Writing Good Policies
Communicating Policy
Enforcing Policy
Writing Good Procedures
Following Procedures
Next-Generation Policies and Procedures
Planning for Big Failures or Business Continuity
Business Resilience and Redundancy
Business Continuity Management
Liabilities Management: Section Summary
PUTTING IT ALL TOGETHER
Designing a Risk Management Strategy
External Factors
Organization Structure
Identify Assets
Compliance Requirements
Risk Management Profiles
Risk Culture
Governance
Risk Management Strategy for Service Delivery
Risk Management Strategy for Liabilities
Consolidated Risk Management Strategy
Risk Management Framework: Outline
Maintain Risk Management Program
Resourcing a Risk Management Program
Forward-Looking Risk Management
Preparing for a "Black Swan"
Conclusion
Appendices:
OECD Privacy Principles
Project Profiling Risk Assessment
Risk Impact Scales
Classification Schema
Bibliography
Index
Biography
Mark Scherling, CISSP, CRM, has been working in IT for over 30 years. For the past four years, he has been managing information security and privacy for the Justice Sector in the Government of British Columbia (Canada). Prior to the Justice Sector, he managed the Information Security Investigations Unit for the entire BC government.
He has designed and implemented public key infrastructure (PKI) and security solutions for numerous clients. He is considered a Subject Matter Expert in Risk Management and Information Security by the Information Systems Audit and Control Association (ISACA). He contributed to the Risk IT Framework and Certification in Risk and Information Systems (CRISC), a new ISACA Certification. He is viewed as a Security and Risk Management Expert by many people within and associated with the Government of British Columbia.
His background includes sales, marketing, and information management. In the mid-1990s, he was instrumental in developing and implementing the Canadian Department of National Defence Intranet or the DIN. He has significant experience in information and knowledge management. He combines this expertise with information protection to create an information risk management strategy for Chief Information Officers (CIOs).
He has been part of the evolution of information technology (IT) from Digital Equipment’s Vaxes and PDP11s to mobile computing, the Internet, and cloud computing. The interconnected world we now live in holds exciting promise to link people, computers, applications, and information. There are risks when we link everything together and share information. Organizations are always trying to reduce costs and improve customer relations. Mark has been involved in information security for over 13 years and has oriented his approach from simple information security to risk management strategies. As the Internet continues to evolve, so evolves information security and risk management.
The reality is that we need better ways of managing risks to our information and services. His approach takes a more holistic approach to risks, considering not just liabilities but also service delivery because information is one of our most important assets.
This is an exceptionally well-written primer for anyone responsible for corporate information risk management. … It's obvious that the author has regularly encountered and solved the problems he describes in the course of his three decades in Canadian government and justice IT, and he has an appealing no-nonsense approach. …the true greatest strength of this book is its holistic viewpoint - all too rare and much appreciated - that demonstrates how all the disparate aspects of information management actually fit together to create a robust business asset base. I can unhesitatingly recommend it, not only to CIOs but also to anyone tasked with protecting corporate information assets, whatever the level of their role. It imparts understanding, which is vastly more useful than mere facts. An excellent holistic primer on corporate information management. The author's credentials are fully justified by the clear, concise and informative text. A must-have for CIOs and anyone else managing business information assets.
—Michael Barwise, BSc, CEng, CITP, MBCS, in InfoSec Reviews, September 2011