1st Edition

Practical Risk Management for the CIO

By Mark Scherling Copyright 2011
    400 Pages 34 B/W Illustrations
    by Auerbach Publications

    400 Pages 34 B/W Illustrations
    by Auerbach Publications

    The growing complexity of today’s interconnected systems has not only increased the need for improved information security, but also helped to move information from the IT backroom to the executive boardroom as a strategic asset. And, just like the tip of an iceberg is all you see until you run into it, the risks to your information are mostly invisible until disaster strikes.

    Detailing procedures to help your team perform better risk assessments and aggregate results into more meaningful metrics, Practical Risk Management for the CIO approaches information risk management through improvements to information management and information security. It provides easy-to-follow guidance on how to effectively manage the flow of information and incorporate both service delivery and reliability.

    • Explains why every CIO should be managing his or her information differently
    • Provides time-tested risk ranking strategies
    • Considers information security strategy standards such as NIST, FISMA, PCI, SP 800, & ISO 17799
    • Supplies steps for managing: information flow, classification, controlled vocabularies, life cycle, and data leakage
    • Describes how to put it all together into a complete information risk management framework

    Information is one of your most valuable assets. If you aren’t on the constant lookout for better ways to manage it, your organization will inevitably suffer. Clarifying common misunderstandings about the risks in cyberspace, this book provides the foundation required to make more informed decisions and effectively manage, protect, and deliver information to your organization and its constituents.

    Introduction: Why Risk Management?

    Liability
    Personal Data Disclosed or Stolen
    Intellectual Property Lost or Stolen
    Wrong Decisions Made
    Liability Risks

    Service Delivery
    Transaction Centric
    Information Centric
    Risks to Service Delivery
    Risks to the CIO

    PRINCIPLES AND CONCEPTS

    Overview
    Market Risks
    Budget Risks
    People Risks
    Technology Risks
    Operational Risks
    Information Risks
    Control Risks
    Detection Risks
    Risk Treatment

    Basic Concepts, Principles, and Practices
    Concepts
    Risk IT Framework Principles
    ISO 31000 Risk Management Principles
    Other Risk Management Principles
    Summary: Risk Management and Risk IT Principles
    Information Security Principles
    Accountability Principle
    Awareness Principle
    Ethics Principle
    Multidisciplinary Principle
    Proportionality Principle
    Integration Principle
    Timeliness Principle
    Assessment Principle
    Equity Principle
    Information Management Principles
    Value
    Life Cycle
    Reuse
    Proliferates Quickly
    Dependencies
    Principles

    Risk Assessment, Analysis, and Procedures
    Making Decisions: Fact or Fiction? How Do You Decide?
    Confidence Ranking Process
    Facts
    Calculations
    Estimations
    Guesses
    Risk Management Starts with the Individual
    Managing Risky People
    Risk Management Profiling and Risk Culture
    Measuring Risks or Uncertainty
    How to Measure Risks
    Identify the Risk
    Consensus of the Risk
    Analysis of Risk
    Mitigate the Risk
    Monitor the Risk
    Reassess the Risk
    Performing a Risk Assessment
    Team or Committee Selection
    Step 1: Define Parameters
    Taxonomy of Risk Types
    Scope, Time Frame, Complexity, and Stakeholders
    Step 2: Identify Risks and Impacts
    Step 3: Consensus of Risks and Impacts
    Step 4 Risks and Impacts Analysis
    Step 5: Prioritize Risks and Impacts
    Step 6: Review Existing Controls
    Step 7: Risks and Impacts Mitigation Analysis
    Step 8: Costing, Prioritization, and Decisions
    Step 9: Implementation
    Step 10: Review

    Metrics
    User Experienced Metrics

    Best Practices
    Principles and Concepts: Section Summary

    Part II: SERVICE DELIVERY

    Product Management
    Products You Deliver as a CIO
    Information Delivery: How Information Flows in Your
    Organization
    Organizing IT for Information Delivery, Management, and Protection

    Process Management

    Project Management
    Projects
    Risk Ranking
    Vulnerability Scanning
    Reporting

    IT Service Management
    Opportunity Capacity

    Reporting on Service Delivery

    Service Delivery: Section Summary

    LIABILITIES MANAGEMENT

    Information Management
    The Value of Information
    Classify Your Information: Value and Categories
    Value/Sensitivity of Information
    Categories of Information
    Controlled Vocabulary, Taxonomies, Keywords, and Search
    Controlled Vocabularies
    Summary
    Identify Information Assets
    Information Has a Life Cycle
    Database Information Life Cycle
    Information Flows
    Information Flow Analysis
    Information Management Strategy
    Designing Information Management across Large Organizations
    Steps to Better Information Management

    Information Protection
    Security Controls
    Essential Controls
    Personnel (Includes Management and Operations)
    Technology
    Information
    Ingress
    Egress
    Database Security and Monitoring
    Defense in Depth
    Audit and Compliance
    Documentation
    Information Security Architecture
    Reporting on Information Security
    FISMA, NIST, and FIPS
    Why
    What
    Specifications for Minimum Security Requirements
    How
    Payment Card Industry Data Security Standard
    Analysis of Good Information Security Practices
    Employee, Hacker, Insider, or Outsider
    Insiders
    Employees
    Partners
    Contractors
    Outsourced
    Insider Threats
    Insider Controls
    Outsiders
    General Public
    Hackers
    Customers, Clients, Others
    Outsider Threats
    Outsider Controls
    Data Loss Prevention/Information Knowledge Leakage
    Database Solutions
    Network and End-Point Solutions
    Portable Device Control
    Defining the Risk
    Deploying DLP Solutions
    Paper: Print, Keep, Shred

    E-Discovery
    Rules and Obligations
    Standard of Proof
    E-Discovery Process
    Information Management
    Collection and Preservation
    Production
    Presentation
    Summary of E-Discovery

    Privacy

    Policies and Procedures
    Writing Good Policies
    Communicating Policy
    Enforcing Policy
    Writing Good Procedures
    Following Procedures
    Next-Generation Policies and Procedures

    Planning for Big Failures or Business Continuity
    Business Resilience and Redundancy
    Business Continuity Management

    Liabilities Management: Section Summary

    PUTTING IT ALL TOGETHER

    Designing a Risk Management Strategy
    External Factors
    Organization Structure
    Identify Assets
    Compliance Requirements
    Risk Management Profiles
    Risk Culture
    Governance
    Risk Management Strategy for Service Delivery
    Risk Management Strategy for Liabilities
    Consolidated Risk Management Strategy
    Risk Management Framework: Outline
    Maintain Risk Management Program
    Resourcing a Risk Management Program

    Forward-Looking Risk Management

    Preparing for a "Black Swan"

    Conclusion

    Appendices:
    OECD Privacy Principles
    Project Profiling Risk Assessment
    Risk Impact Scales
    Classification Schema

    Bibliography

    Index

    Biography

    Mark Scherling, CISSP, CRM, has been working in IT for over 30 years. For the past four years, he has been managing information security and privacy for the Justice Sector in the Government of British Columbia (Canada). Prior to the Justice Sector, he managed the Information Security Investigations Unit for the entire BC government.

    He has designed and implemented public key infrastructure (PKI) and security solutions for numerous clients. He is considered a Subject Matter Expert in Risk Management and Information Security by the Information Systems Audit and Control Association (ISACA). He contributed to the Risk IT Framework and Certification in Risk and Information Systems (CRISC), a new ISACA Certification. He is viewed as a Security and Risk Management Expert by many people within and associated with the Government of British Columbia.

    His background includes sales, marketing, and information management. In the mid-1990s, he was instrumental in developing and implementing the Canadian Department of National Defence Intranet or the DIN. He has significant experience in information and knowledge management. He combines this expertise with information protection to create an information risk management strategy for Chief Information Officers (CIOs).

    He has been part of the evolution of information technology (IT) from Digital Equipment’s Vaxes and PDP11s to mobile computing, the Internet, and cloud computing. The interconnected world we now live in holds exciting promise to link people, computers, applications, and information. There are risks when we link everything together and share information. Organizations are always trying to reduce costs and improve customer relations. Mark has been involved in information security for over 13 years and has oriented his approach from simple information security to risk management strategies. As the Internet continues to evolve, so evolves information security and risk management.

    The reality is that we need better ways of managing risks to our information and services. His approach takes a more holistic approach to risks, considering not just liabilities but also service delivery because information is one of our most important assets.

    This is an exceptionally well-written primer for anyone responsible for corporate information risk management. … It's obvious that the author has regularly encountered and solved the problems he describes in the course of his three decades in Canadian government and justice IT, and he has an appealing no-nonsense approach. …the true greatest strength of this book is its holistic viewpoint - all too rare and much appreciated - that demonstrates how all the disparate aspects of information management actually fit together to create a robust business asset base. I can unhesitatingly recommend it, not only to CIOs but also to anyone tasked with protecting corporate information assets, whatever the level of their role. It imparts understanding, which is vastly more useful than mere facts. An excellent holistic primer on corporate information management. The author's credentials are fully justified by the clear, concise and informative text. A must-have for CIOs and anyone else managing business information assets.
    Michael Barwise, BSc, CEng, CITP, MBCS, in InfoSec Reviews, September 2011