Effective Information Security & Risk Management ISRM Programmes

Let us start by stating an age-old maxim : You cannot eliminate all risks. But you can reduce the level of risks to an acceptable standard. That’s why building an Information Security and Risk Management (ISRM) programme is essential.

Our businesses generate an ever-increasing volume of data. So, in an era where information is currency, and cyber threats continue to evolve, an effective ISRM programme is a necessity.

Let’s take a quick look at ISRM and what it takes to put in place an effective programme.

What it Means to have an Effective ISRM Programme

Information protection may seem to be an IT function. And it was treated that way for a while. But information has evolved into a critical business support activity. Because of this, data security becomes a greater issue resulting in information security needing a strategy all on its own.

An Information Security and Risk Management programme gives companies a strategic framework to address infrastructure protection. This framework should be aligned with the company’s vision and objectives. An effective ISRM must incorporate a company’s risk profile. It identifies and evaluates risks to company data with a strategy to mitigate these risks.

The Three Keys to Implementing a Corporate ISRM Programme

Each of these three keys is multi-layered. So, you’ll need a comprehensive and strategic plan to implement each area.

1. Identification of Assets and Threats

This first step in the process of building out your information security plan starts with identifying your company’s digital assets. You look at the vulnerabilities in your system, and the threats you are and could face. Then you identify the controls you have in place and what’s missing.

2. Assessment

At this juncture, you put together the information you have pulled about your assets and controls and define what is considered a risk to your company.

This is also the time when you assess your company’s risk tolerance. What are the acceptable risks you’re willing to take, and where do you draw the line? Once you’re outlined that line in the sand, you can now start the process of identifying the controls necessary to prevent those unacceptable risks from becoming a reality.

You should note, however, that assessment of risks comes with an inherent flaw – the subjectivity of perceived risks. As explained by Malcolm W Harkins in Managing Risk and Information Security, within an organisation, each individual and groups’ “role, goal, background, and peer group influencers the perception of risks.”

This can even happen to security professionals. For example, enterprise IT would employ a typical “set and forget” path and fail to keep controls up-to-date. This means not ignoring seemingly older threats for newer risks. At this juncture, an independent third-party security expert can assess the risks in keeping with the goals and structure of the company.

3. Treatment & Monitoring

Here you’ll outline and implement the strategies necessary to address the risks identified. This may include remediation, steps to risk avoidance, or transferring the risk. It could also mean accepting the risks as part of your company’s risk tolerance profile.

Managing Risk and Information Security – where do you go from here?

As a CISO or Chief Risk Officer responsible for risk management and information security, it’s on you to get it right. Your core business functions, brand value, and image are all tied to your ability to keep your company and its clients’ information secure.

What, therefore, can you do? It’s an ongoing process, one that has to be reviewed and updated as the risks change, and threats evolve.

If you manage a government agency or operate a medium to large size business, we should talk. Let’s discuss how to develop a comprehensive ISRM programme, one that includes an effective cybersecurity incident response plan.

Fancy reading something else - what takes your fancy?