Get the inside scoop on the metrics that matter.
Before we go into details about managing information risk, let’s start with a working definition we can refer back to:
Information risk management (IRM) is comprised of the policies, procedures, and technology one adopts in order to reduce the threats, vulnerabilities, and consequences that could arise if data is not protected.
Below, we’ve broken down each part of this working definition so you can best understand how U.K. businesses can manage risk.
Understanding Threats, Vulnerabilities, & Consequences
The CISO's Guide To Reporting To The Board
The CISO's Guide To Reporting To The Board
Information risk management examines the classic equation for determining risk:
Threat x Vulnerability x Consequence
- Threat is inherent in information risk management—from vendors, to cybersecurity, to physical security.
- Vulnerability is made up of gaps in your IRM protection programme. Once you understand what vulnerabilities your organisation faces and how they could be exploited, you’ll be able to better address your risk.
- Consequence takes into account the value of the information you’re protecting. Some sensitive information is obvious—like trade secrets. But some sensitive information is less obvious—like legal requirements for protecting some data.
Policies To Adopt
Policies come in many different forms—some of them are created within a company, some are standard to an industry, some are regulatory, and some are fiduciary. These frameworks that are in place help your organisation function properly and are vital to proper information risk management.
(When reviewing the policies that need to be in line at your organisation, keep the General Data Protection Regulation (GDPR) law recently passed by the EU in mind as well as how it will affect which policies your organisation needs to put in place.)
We suggest the following resources:
- HMG Security Policy Framework: Page 11 of this PDF details HMG’s information security practices.
- Managing information risk: This guidance manual was created by the U.K.’s National Technical Authority for Information Assurance (CESG).
- The CESG website: There are many articles and white papers you may find helpful in creating your information risk management policies on this website.
Procedures To Follow
Armed with a solid understanding of the risk equation and the policies needed to manage your risk, you can begin adopting those policies and establishing a clear strategy for your information risk management. Creating fixed, step-by-step actions for better cybersecurity based on the policies above is an excellent best practice—and we suggest the following as a starting place for your IRM procedures:
- Install intrusion control systems: Your IT security teams will want to ensure certain technical controls are in place to help avoid or lessen the impact of a catastrophic data breach. This may include intrusion detection, anti-virus software, multi-factor authentication processes, and firewalls.
- Review third-party contracts: This is particularly important because of the new EU Data Protection Regulation Law. While it won’t be enforced for two years, it mandates that controllers (or first parties) work with processors that are able to implement appropriate security measures to protect personal data. With this new law, controllers can be held liable for their processors’ actions if they do not adhere to the appropriate security standards. So, you’ll want to be sure to revisit your contractual agreements and ensure that your expectations are airtight.
- Track and report on cybersecurity metrics: One of the building blocks for any security programme is the creation of actionable cybersecurity metrics, which will help your organisation determine how well-prepared you are for a number cyberthreats. It’s important to put these into place, track them, and report on them regularly.
- Run tabletop exercises: By running a tabletop exercise before a breach occurs, you’ll be able to prepare executives, board members, and various members of the IT security team in what their role will be. Be sure plans are in place for notifying law enforcement, forensics firms, customers, and investors and dealing with potential financial or reputational harm.
Technologies To Use
You’ll want technology that provides you with both quantitative and qualitative risk assessment methods so you can fully understand if a risk will likely happen and the impact it will have if it does occur.
- Veracode: This cloud-based technology helps test the security of applications developed by third parties.
- Safecode: This nonprofit organisation offers best practices for enhancing the security of software development processes.
- Bitsight: Our software provides an innovative way to measure and mitigate third-party security risk through continuous monitoring solutions.
How do you manage your information risk? Tweet us @bitsight and let us know.
Get the Weekly Cybersecurity Newsletter
Subscribe to get security news and industry ratings updates in your inbox.