A lot has been said recently about IT security governance and IT security governance frameworks. Despite this, the most prevalent question seems to be ‘How do I go about implementing one’? This article will highlight the approach our organisation has taken in doing this. Here is how it works:
The framework is based on the ISO 27000 series, CobiT standards and has the relevant legislations and best practices built into it as part of the framework. The heart of this framework is the initial risk analysis which benchmarks the organisation against the 34 CobiT control objectives and the guidelines established in the ISO 27001 and 27002 documents. The risk analysis is performed in complete consultation with the business. This allows us to understand the organisation’s culture, values, philosophy, etc. which we reflect in the risk analysis and the subsequent framework development and implementation processes.
Highlighting these risks allows the organisation to see their vulnerabilities and helps gain buy-in from senior management. The risk analysis is really the start of the implementation of an appropriate IT security governance framework based on the CobiT guidelines. The risk analysis exercise is based on interviews with key stake holders in order to ensure wide spread organisational consultation that helps with acceptance of the process and its outcomes, as well establishing the organisation’s risk appetite. Once the results of the risk analysis are available, these are then workshopped with key stakeholders to agree a way forward.
It is vital to take a risk based approach to IT security within any organisation. This process helps the business understand what exposures it has to IT security risks in monetary terms and thus be able to dedicate relevant funds to mitigating these risks.
This best way to calculate risk is based on the TIK framework – Risk=((Vulnerability*Threat)/CounterMeasure)*AssetValueatRisk
Simply put this allows us to understand the risk of an adverse event affecting an asset as calculated by (Vulnerability (the exposure that an adversary can exploit)*Threat (the attacker))/CounterMeasure (any risk treatment measures in place))* AssetValueatRisk (value of the asset at risk).
The point of calculating the risk is to establish the dollar value of the exposure. This in turn will provide a figure that the business should not spend over as it will then result in a negative return on investment of the control measure. And this is exactly what the business needs to understand to determine how much it should spend on a control measure. Using this process, you can determine the value of the asset at risk, the threats and vulnerabilities, and how much to spend mitigating the risks.
Risk treatment can take four forms. The organisation may choose to eliminate / mitigate (put controls on place to reduce/ remove the risk), accept (accept the risk that exists and carry on), avoid (change business activities so that the risk does not eventuate) and transfer (gain insurance against the risk). The important part here is that regardless of the risk treatment chosen, the residual risk remaining after the controls are put in place should be acceptable by the business.
The next stage is the risk treatment process in light of the principles outlines above. A number of parallel activities commence post the risk analysis. These include strengthening the existing control weaknesses as well the establishment of an IT security governance framework underpinned by relevant policies and procedures.
Once the existing risks have been treated, a robust monitoring and audit function is built into the organisation. This will include performing audits against CobiT control objectives for key risk areas as highlighted by the business. The risk analysis exercise is also repeated on an annual basis or whenever significant changes are made to the organisation to ensure that new risks are constantly being evaluated and treated. The framework is established in complete alignment with the organisation’s business drivers, goals and risk appetite to ensure maximum value and return on investment.
IT security governance and related issues are being pushed more and more into the forefront and I hope I have been able to outline a simple approach to addressing this. Understanding your assets, their value and risks are key. Once you know this, spend no more than the value of the risk itself to treat the risks to ensure return on investment. Constantly evaluate existing risk treatment methods to ensure their effectiveness. Do not forget new risks that will appear. The aforementioned IT risk analysis process will help highlight these so that they could be understood and treated.