But It Doesn’t Have to Be for You and Your Information Security Program!
Today is the day dubbed the most depressing/miserable/stressful day of the year. A UK Psychologist, Cliff Arnall, created a mathematical formula to calculate this based on a number of factors including the holidays ending, work resuming, debt level, cold gloomy weather, New Year’s resolution failures, etc. While I can’t attest to whether this is true, it prompted me to share a few thoughts on whether or not information security was adding to your misery or stress level!
With all the negative press about the Target and Nieman Marcus breaches, 2014 is shaping up to be a stressful year for those in Information Security. In response, my blog topic for this year’s most miserable day is on measuring Information Security Risk and what to do if it’s adding to your stress level.
Are We Secure?
Boards of Directors and C-Level Management are asking: “Is our information secure?” This question is tough to answer! As the person responsible forinformation security, how do you best allocate your time, money and budget, especially as there’s never enough of any of them?
So what to do? One of the most important answers to this question is to understand your organization’s risk. For example, I have a client whose security program was based around a compliance mandate and they are now moving or maturing to a risk-based information security program.
Where to Begin
To understand your risk you must decide on how to best measure information security risk within your organization. There are several frameworks for measuring risk including: iRisk, Fair, Octave, ISO 27005, etc. Begin by understanding these frameworks and choose the best one for your organization. This is actually a straightforward process that doesn’t take a great deal of time.
Next you need to begin to perform assessments to gather information to enter into the framework. Risk Assessments and Attack & Penetration Test with Incident Response will provide you with valuable information.
Be sure to perform a thorough risk assessment. We often find that many organizations perform a risk assessment at such a high level that it provides little value.
There are multiple steps that should go into performing a full risk assessment, typically including:
- Business Process Mapping
- Asset Inventory
- Vulnerability Assessment
- CMMI Control Assessment
- Threat Assessment
- Risk Analysis
- Recommended Risk Treatment Plan
For a third-party source of information on risk assessments, visit the Payment Card Industry (PCI) website. In November of 2012 they released new, more stringent guidance on how thorough a Risk Assessment should be.
A Risk Assessment and Framework will provide an organization with a global view of its information security risks and a framework which can easily be aligned with most Enterprise Risk Programs. This provides security with much greater visibility and understanding among executive leadership and places security risks in their proper context with other business risks.
It provides those in Information Security with a more quantified understanding of their organization’s risk. This information should be used to make more informed decisions on where to best spend your valuable time, money and resources. It also places you in a more defensible position when management questions your strategy.
Defense in Depth
Even if you’ve built the best information security program in the world, you will always face risks. Infrastructure, software, and exploits are constantly changing and it’s impossible to keep up. A robust incident response plan that enables your organization to quickly detect and respond to an incident will lessen your stress and your organization’s exposure. Be sure to test your plan to ensure it’s up-to-date and that people have the authority, or know the chain of command, to implement the necessary steps to contain and eradicate an incident. When dealing with an incident, time is of the essence!
The Good News
While 2014 is shaping up to be a stressful year in information security, there are definitely things you can do to protect your organization and yourself. Contact us to get started.