Cyber Information Risk Management Still Needs Improvement

Cybersecurity threats and attacks across various business sectors are on the rise pressuring for organizations to continuously assess the risks to any information. While the General Data Protection Regulation (GDPR) has garnered a lot of buzz in 2018, many standards and regulations in the United States also require cybersecurity.

But what are the technical details and operational steps needed to meet the high level guidance on cybersecurity risk? A recent Advisen survey revealed some interesting statistics:

• 35% of respondents rated data integrity risks as “high risk” versus only 22% that of rated business continuity risks, or cyber related business interruption
• Only 60% of the risk professionals surveyed said their executive management team viewed cyber risk as a significant threat to the organization, down 23% from the previous year.
• Only 53% knew of any updates or changes even after the 2017 high profile attack

In short, these statistics paint a grim picture over the state of cybersecurity in the United States. While organizations are aware of the high risk of cyber attacks, management team involvement may be decreasing, and organizations may not be evolving their cybersecurity programs quickly enough.

Creating a security first cyber risk mitigation posture

Many organizations have moved to a risk analysis security first compliance posture to enable stronger risk mitigation strategies and incorporate senior management oversight. However, identifying the potential risks to your environment only acts as the first step to understanding your overall risk. In order to identify all potential risks and engage in a full risk analysis that appropriately assesses the overall risk facing your data, you need to incorporate vendor risk as part of your risk management process.

That’s a lot of risk discussion, but you also have a lot of places in your overarching ecosystem that create vulnerabilities. Using a risk management process that establishes a security-first approach to your organization’s data environment and ecosystem means that you’re locking down potential weaknesses first and then backtracking to ensure you’ve aligned controls to standards and regulations. This approach, although it seems backward from a traditional compliance point-of-view, functions as a stronger risk mitigation program by continuously monitoring your data protection to stay ahead of hackers. Standards and regulations mean well, but as malicious attacks increasingly become sophisticated the best practices within these documents may be outdated in a single moment.

What is an information risk management (IRM) program?

An information risk management (IRM) program consists of aligning your information assets to a risk analysis, creating IRM policies that formalize the reasoning and decisions, and communicating these decisions with senior management and the Board of Directors. The National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO) both provide guidance for establishing an IRM.

For example, the September 2017 NIST update to NIST 800-37 focuses on promoting information security by recognizing the need for organizational preparation as a key function in the risk mitigation process.

In fact, the core standards organization, ISO, updated its ISO 27005 in July 2018 to focus more on the information risk management process.

Specific to the United States, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) updated it enterprise risk management framework to minimize data threats while requiring organizations to detail potential risks and manage risks more proactively.

As risk analysis increasingly drives information security practices, you need to focus on a risk treatment program that begins with risk identification, establishes an acceptable level of risk, defines your risk treatment protocols, and create risk mitigation processes.

Create an information risk management (IRM) team

In order to appropriately manage risk, you need to create an IRM Team consisting of stakeholders across the organization. Relying solely on your IT department may leave gaps in the process. To determine the stakeholders, you should explore the departments integral to risk identification. For example, you might want to ask yourself:

• What departments hire vendors?
• What departments can help with the overall risk process?
• What stakeholders are legally required (in the United States) to be informed of the risk process?
• Who brings unique insights into the risks that affect my data environment and ecosystem?

For example, while your IT department sets the controls that protect your information, your human resources department handles a lot of sensitive data. You need to incorporate stakeholders who understand the data risks unique to their role in your organization so that they can work with your Chief Information Officer and Chief Information Security Officer. Additionally, many United States regulations, such as the Sarbanes-Oxley Act of 2002 (SOX) require senior management and Board of Director oversight so they should also be included as part of your IRM team.

Begin with business processes and objective

Many organizations forget that businesses processes and organizational business objectives should be the baseline for their risk analysis. Senior management needs to not only review the current business objectives but think about the future as part of the risk identification process. Some questions to ask might include:

• What businesses processes are most important to our current business objectives?
• Do we want to scale in the next 3-5 years?
• What business processes do we need to meet those goals?

Understanding the current business objectives and future goals allows organizations to create stronger risk mitigation strategies. Many organizational goals rely on adding new vendors whose software-as-a-service products enable scalability. Therefore, you need to determine where you are as well as where you want to be so that you can protect the data that grows your organization and choose vendors who align with your acceptable level of risk.

Catalogue your IT assets

The next step in the risk analysis process requires you to look at all the places you transmit, store, or access data. This step often becomes overwhelming as you add more cloud storage locations that streamline employee workflows. Some questions to ask here might include:

• What information is most critical to my business processes?
• What servers do I store information on?
• What networks does information travel over?
• What devices are connected to my servers and networks?
• What information, servers, networks, and devices are most essential to my targeted business processes?
• What vendors do I use to management my data?

Review your potential risks from user access

Once you know what information you need to protect and where it resides, you need to review the users accessing it. Using multi-factor authentication and maintaining a “need to know” access protocol protects your information.

• Who accesses critical information?
• What vendors access your systems and networks?
• Does each user have a unique ID?
• Can each user be traced to a specific device?
• Are users granted the least authority necessary to do their jobs?
• Do you have multi-factor authentication processes in place?
• Do users have strong passwords?
• Do you have access termination procedures in place?

These questions can help you manage risks to critical information because employees lack password hygiene or decide to use the information maliciously upon employment termination.

Establish an acceptable level of risk

Once you’ve completed the risk identification process, You need to review what risks you want to accept, transfer, refuse, or mitigate. To determine the acceptable level of risk, you may want to ask some questions such as:

• What is an acceptable level of external risk to my data environment?
• What is an acceptable level of risk arising out of vendor access?
• How do I communicate the acceptable level of risk to senior management?
• How can I incorporate my acceptable level of risk in service level agreements (SLAs) with my vendors?
• Can I quantify the acceptable level of risk I have assumed as part of my risk analysis?

Your information risk management (IRM) process needs to incorporate the full level of tolerances and strategies that protect your environment. In some cases, you may decide that a risk is unacceptable. For example, you may want to limit consultants from accessing your corporate networks and servers. In other instances, you may need to find ways to mitigate risks with controls such as password management or a Bring-Your-Own-Device policy.

Define the controls that manage risk

Once you’ve set the risk tolerance, you need to define controls that manage that risk. This process is also called risk treatment. Your data ecosystem can leave you at risk for a variety of data breach scenarios, so you need to create information risk management (IRM) policies that outline your risk treatment decisions. In doing this, you need to question:

• What firewall settings do I need??
• What controls protect my networks and servers?
• What data encryption protects information in transit across my networks and servers?
• What encryption protects the devices that connect to my systems and networks?
• What do I need to make sure that all vendor supplied passwords are change?
• What protects my web applications from attacks?
• What do I need from my vendors as part of my SLAs to ensure they maintain an acceptable level of security?

Defining your controls includes everything from establishing passwords to requiring anti-malware protection on devices that connect to your systems and networks. Creating a clearly defined risk treatment program enables a stronger security-first position since your IRM policies focus on protecting data proactively rather than reactively changing your security controls after a data event occurs.

Tracking the cyber risks with IRM policies

Creating a holistic security-first approach to risk treatment and management means using IRM policies to help create a risk register. A risk register creates a tracking list that establishes a mechanism for responding to security threats. Your IRM policies, which should outline the entire risk management process, help establish the risk register by providing the list of risks monitored and a threat’s impact.

Although this process seems intuitive, the larger your environment and ecosystem, the more information you need to track. As you add vendors and business partners, you increase the risk register’s length making threat monitoring cumbersome.  

How SecurityScorecard enables the information risk management process

SecurityScorecard continuously monitors threats to your environment across ten factors: application security, DNS health, network security, patching cadence, endpoint security, IP reputation, web application security, cubit score, hacker chatter, leaked credentials, and social engineering.

Using these ten factors, organizations can streamline the risk management process. A primary hassle for those engaging in the risk management process lies in defining risks and establishing definitions for controls that mitigate overall risk. The ten factors remove the burden of identifying both risks to the environment and ecosystem as well as controls that mitigate risk. Moreover, you can use these same ten factors to quantify your risk monitoring and reaction, as well as the security of your vendors.

SecurityScorecard’s continuous cyber monitoring tool can help alleviate bandwidth problems and help facilitate a cybersecurity program more in line with the sophisticated cyberthreat landscape.