Express Computer
Home  »  Columns  »  The next step for information risk management

The next step for information risk management

0 520

Rajat Mohanty, CEO, Paladion Networks


By Rajat Mohanty, CEO, Paladion Networks

SME owners along with CEOs of large enterprises today are losing sleep over information security concerns, despite investing heavily on technology to ensure better business performance. However, these technology investments are being made in the interest of innovating and accelerating the impact of technology for their customers rather than to protect the data itself. The compliance and security teams often approach their CFOs to set aside budgets required to strengthen the companies’ security and compliance programs. However, owing to the CFO’s risk-averse nature, they mostly focus on the business and the bottom line.In view of this, the next step towards information risk management would be for the CFOs to bring innovative ideas to the table to help their companies remain competitive.

Corresponding to that, CFOs are required to bring the facts into focus for the CEOs to take interest in risk management decisions. However, it is to be noted that these steps are not quick or easy. The CFOs and CEO need to identify all the assets that contain or transmit the information they are trying to protect.It could be anything from a Personal Identification Information (PII), Protected Health Information (PHI), Payment Card Information (PCI), or any other proprietary or sensitive information important to the business. These information assets not only include application but the ‘media’ that contains those applications, such as servers, back-up tapes, desk tops, laptops, and thumb drives.

Following that would be the identification of threats to those assets which encompass facets including environmental factors like Floods, Lighting and fire; Structural like infrastructure or software failure; Accidental like uninformed or careless users and Adversarial like hackers, malicious insiders. Furthermore,identification of the vulnerabilities of those assets is the next significant step. For example, no data backup, no encryption, weak passwords, no remote wipe, no surge protection, no training, no access management, no firewalls, no business continuity plans and so on.

Taking informed decisions on risk treatment involves isolating all combinations of assets, threats to those assets and the vulnerabilities that might be exploited. Absence of these three aspects indicates that there is no risk to the information of the company. However, this is just the nascent stage or initial steps towards information risk management. Determining the likelihood of each threat exploiting the vulnerabilities follows the suite.The subsequent steps could be relatively harder as it lacks specific data to support a calculable likelihood. Tackling the issue, some companies use simple high, low and medium ranking, but there are various other metrics that need to be factored in to access likelihood like, industry breach statistics, data-type breach statistics, data loss statistics by cause, industry complaint statistics, the breach and/or complaint history of one’s own organization, and the details of any security or privacy incidents.

Apart from determining the likelihood of the threats exploiting the vulnerabilities, enterprises need to generate a risk-list, with high impact risk at the top and low impact risk at the bottom and everything else in between. Once the list is in place, the CISOs, CFOs, CEOs and all other C-suites need to congregate and belt out solutions and determine the cost of all risks.
In a nut shell, continuous evaluations and re-evaluations of risks that a company faces, is a good practice. Although time, energy and commitment are some of the most important pre-requisites for such practices, one has to agree that ongoing vigilance has its own rewards. Apart from mitigating huge business costs, it also saves the companies immense reputational damage that could stem out of data breach.

Get real time updates directly on you device, subscribe now.

Leave A Reply

Your email address will not be published.

LIVE Webinar

Digitize your HR practice with extensions to success factors

Join us for a virtual meeting on how organizations can use these extensions to not just provide a better experience to its’ employees, but also to significantly improve the efficiency of the HR processes
REGISTER NOW 

Stay updated with News, Trending Stories & Conferences with Express Computer
Follow us on Linkedin
India's Leading e-Governance Summit is here!!! Attend and Know more.
Register Now!
close-image
Attend Webinar & Enhance Your Organisation's Digital Experience.
Register Now
close-image
Enable A Truly Seamless & Secure Workplace.
Register Now
close-image
Attend Inida's Largest BFSI Technology Conclave!
Register Now
close-image
Know how to protect your company in digital era.
Register Now
close-image
Protect Your Critical Assets From Well-Organized Hackers
Register Now
close-image
Find Solutions to Maintain Productivity
Register Now
close-image
Live Webinar : Improve customer experience with Voice Bots
Register Now
close-image
Live Event: Technology Day- Kerala, E- Governance Champions Awards
Register Now
close-image
Virtual Conference : Learn to Automate complex Business Processes
Register Now
close-image