IT Risk & Security : The Five Phase Approach

 The proposed approach uses five phases to examine organisational and technology security issues, thus assembling a comprehensive holistic picture of information security needs. The five phases for the Method are depicted below:

Final installment for IT Risk & Security

IT Risk & Security : Working Assumptions

In addition to the above mentioned objectives, some considerations/assumptions have been made for the development of the risk & security assessment approach it presents:

  •  In many cases the SME may be unfamiliar with computer security and in consequence may benefit from access to awareness, training and guidance material.
  • The establishment of a security guidance framework through SME trade bodies and associations will help promote understanding of security issues by those with little background in information security.
  • Policies and frameworks for information security planning and disaster recovery are usually non-existent. Moreover, a basic understanding of information security risk in SMEs does not extend much beyond viruses and anti-virus software.
  • Most SME business managers barely understand highly technical and complex scientific terminology related to information security.
  • Inadvertent threats pose some of the highest information security risk to SMEs and yet personnel training and awareness programmes are often neglected. Even if the staff of SMEs has special knowledge of information systems, they might not possess special know-how on IT security matters. An aggravating factor is that companies generally cannot afford to invest enough resources in risk & security management.

Our next installment – IT Risk & Security : The Five Phase Approach

IT Risk & Security : Approach & Methodology

The proposed approach is self-directed, meaning that people from an organisation assume responsibility for assessing the risks, selecting controls and thus setting the organisation’s security strategy. This technique leverages people’s knowledge of their organisation’s security-related practices and processes to:

  •  capture the current state of security practice within the organisation,
  •  identify risks to the most critical assets,
  •  prioritize areas of improvement and set the security strategy for the organisation.

The objectives behind the introduction of this risk assessment and risk management approach are to:

  • Improve existing Information Security Thresholds. The approach can be used as a catalyst to accelerate SME efforts towards information security risk management by addressing high risks. Furthermore, by targeting typical threat scenarios it will ultimately improve existing information security thresholds.
  • Fulfil business requirements, context, and constraints typically found in SMEs environments by avoiding specialized terminology and eliminating highly demanding tasks incorporated in almost every existing, wide-spread professional methodology and industry standard (i.e. asset evaluation, business impact analysis, identification of security requirements etc.).
  • Use a self-directed approach tailored to the means, resources and expertise typically found in an SME environment.
  • Focus on critical assets and highest risks. The method was developed as a simple and easy guide for identifying and protecting assets judged to be most critical to the organisation.
  • Develop a measure-independent risk assessment and management method. For the purpose of producing a first practical and realistic output

Our next installment – IT Risk & Security : Working Assumptions

IT Risk & Security : Decision-Making Questionnaire (Partial Outsourcing)

Do you deem it necessary to retain an increased focus on core competencies and strategic business processes but also improve internal information security awareness and competency in information security matters?

Is it likely you can make available one to two people in your organisation who have a broad and deep understanding of the organisation and also possess most of the following skills?
• ability to understand the business processes and the underlying infrastructure of the organisation
• problem-solving ability
• analytical ability
• ability to work in a team
• leadership skills
• ability to spend a few days working on this method
• they are going to be on a longer term employment

Do you have a complex and a relatively large IT infrastructure but a relatively simple business model?

Do your business and service offerings include financial transactions?

Do you operate a business that is highly subject to strict Domestic Legal and Regulatory constraints and/or mandates?

Our next installment – IT Risk & Security : Approach & Methodology

IT Risk & Security : Decision-Making Questionnaire (Full Outsourcing)

Do you deem it necessary to retain an increased focus on core competencies and strategic business processes?

Would you find it hard to make available two to five people who have a broad and deep understanding of the organisation and also possess most of the following skills?
• ability to understand the business processes and the underlying infrastructure of the organisation
• problem-solving ability
• analytical ability
• ability to work in a team
• leadership skills
• ability to spend a few days working on this method

Do you have a highly complex and a relatively large IT infrastructure?

Does your business and service offerings include financial transactions?

Do you operate a business which is highly subject to strict Domestic Legal and Regulatory constraints and/or mandates?

Do you have a relatively simple information technology infrastructure which is well-understood by at least one individual in your organisation?

Our next installment – IT Risk & Security : Decision-Making Questionnaire (Partial Outsourcing)

IT Risk & Security : Decision-Making Questionnaire (In-sourcing)

Is your organisation small?

Does it have a flat or simple hierarchical structure?

Do you have internal know-how in IT Systems and Networks?

Does your organisation have qualified and available human resources?

Do your business activities have a low dependency on IT systems and are they uninvolved in storing or processing customer data of a sensitive nature and has your organisation been involved in similar activities, i.e. quality improvement processes?

Can you find a group of three to five people who have a broad and deep understanding of the organisation and also possess most of the following skills?
• problem-solving ability
• analytical ability
• ability to work in a team
• leadership skills
• ability to understand the firm’s business processes and the underlying infrastructure of the organisation
• ability to spend a few days working on this method

Do you have a relatively simple information technology infrastructure that is well-understood by at least one individual in your organisation?

Our next installment – IT Risk & Security : Decision-Making Questionnaire (Full Outsourcing)

IT Risk & Security : Implementation Parameters

Decision makers can initiate risk assessment on their environment and trigger the introduction of suitable measures to face unacceptable risks. This is the precondition for the management of information security. In performing this, a variety of approaches may be followed concerning the staffing of such an effort (also known as a “make-or-buy” decision). We differentiate between three approaches:

In-sourcing of risk & security services: the risk & security assessment and the identification of necessary measures are performed by internal staff. The assessment is based on a risk & security assessment approach that has been selected by the organisation (e.g. a good practice, a known standard, etc.). This will help the organisation to master the assessment approach for recurring executions.

Full outsourcing of risk & security services: according to this approach, the entire risk & security assessment is performed by an external contractor. The assessment is based on a risk & security assessment approach that is chosen by the external contractor. The contractor can also undertake recurring future assessments. No know-how transfer to internal personnel is foreseen for the entire life cycle of the risk & security assessment/management of the SME.

Partial outsourcing of risk & security services: this approach assumes that the initial risk & security assessment is performed by an external company. The assessment will be based on a risk & security assessment approach that is known to the SME. Hence, further risk & security assessments can be performed by internal personnel. The initial assessment performed by the outsourcer serves as know-how transfer to the SME’s internal personnel.

Our next installment – IT Risk & Security : Decision-Making Questionnaire (In-sourcing)

IT Risk & Security : What you need to know

Information security is about identifying, mitigating and managing risks that are relevant for the information assts. Risk assessment is the first necessary step to understanding risks by carrying out a comprehensive risk identification and evaluation of an organisation’s information security risks.

The output of such an activity is essential for managing business as the risks involved can influence significantly the confidentiality, integrity, and availability of information assets and may be critical for maintaining a competitive edge, financial stability, legal compliance, and a strong commercial image.

As such, risk assessment can help decision makers to:

  • Assess organisational practices and installed technology base;
  • Enforce information protection based on potential impact on the organisation;
  • Focus security activities on what is important. Measures that are associated with acceptable risks can be abandoned;
  • Ensure that implemented measures and expenditure are fully commensurate with the risks to which the organisation is exposed. In this way a balance between the costs of addressing a risk and the benefits derived from avoiding the negative impact can be maintained.

During a risk assessment, an organisation performs activities to:
a) identify information security risks,
b) evaluate the risks to determine priorities and (c) define how to mitigate the risks

Information security risk assessment, though, is only the first step towards information security risk management, which is the ongoing process of identifying risks and implementing plans to address them.

Clearly, risk assessment itself provides a direction for an organisation’s information security activities; it does not necessarily lead to meaningful improvement unless an implementation of measures has taken place. As in any other management discipline, implementing one part of the management life-cycle alone does not bring the desired effects.

No evaluation, no matter how detailed or how expert, will improve the security posture unless the organisation follows through with implementation. Besides risk assessment, effective risk management includes the following steps:

  • Plan how to implement the protection strategy and risk mitigation plans from the evaluation by developing detailed action plans. This activity can include a detailed cost-benefit analysis of various strategies and actions.
  • Implement the selected detailed action plans.
  • Monitor the plans for progress and effectiveness. This activity includes monitoring any changes in risk levels.
  • Control variations in plan execution by taking appropriate corrective actions.

Our next installment – IT Risk & Security : Implementation Parametres…

IT Risk & Security : An Executive Overview

Small and Medium Enterprises (SMEs) are a priority focus area for government economic policy and are considered to be of key importance to socio-economic growth in South Africa. SMEs are usually born out of entrepreneurial passion and limited funding, with business systems that are often heterogeneous and independent. Moreover, tangible and intangible business assets of SMEs are rudimentary defined, and the value of such assets is often only partially known. Typically this is the case with one of the most important assets, namely, information.

Much like any other business asset, information needs to be strategically managed and protected. Information security is the protection of information within a business, including the systems and hardware used to store, process and transmit this information. It is imperative that SME business leaders understand the value of information contained within their business systems and have a framework for assessing and implementing information security. Numerous internationally approved security frameworks and schemes may be implemented to safeguard an organisation against information loss and potential liability. Since these frameworks are complex, all embracing, and ultimately costly to implement, they are mostly adopted by large organisations.

Usually, due to the dynamic and ad hoc development of many SMEs, neither integration nor security issues are systematically addressed in the building-up phase. Thus, policies and frameworks for information security planning and disaster recovery are usually very rudimentary or even nonexistent. It is often the case that the basic understanding of information security risk in SMEs does not extend much beyond viruses and anti-virus software. Inadvertent threats pose some of the highest information security risk to SMEs, and yet personnel training and awareness programmes are often neglected.

Survey results reveal that the level of information security awareness among SME leaders is as variable as the state of their information systems, technology and security. Although a minority of SMEs do embrace security frameworks such as ISO / IEC 27001 or the International equivalent ISO 17799, most SME executives have not heard of security standards and consider information security only as a technical intervention designed to address virus threats and data backups. Far from blaming SME executives for not understanding the critical issue surrounding information security, research concludes that SME leadership needs to engage, understand and implement formal information security processes, including technical and organisational measures. Without such measures, their organisations may be severely impacted by inadvertent threats / deliberate attacks on their information systems which could ultimately lead to business failure.

Based on the contents of this information package SMEs will be able to perform risk assessments on their environments, select and apply suitable measures for performing and managing information security related risks. In this document we assist SMEs in defining such an effort, in deciding the way to initiate and perform it and, if they have sufficient resources, we provide guidelines for performing a self-assessment of information risks. For this purpose, we offer a simple risk assessment method that leads to a quick and encompassing identification and mitigation of information risks.

The assessment method presented in this document is based on a simplified model that has been generated for small organisations which share certain common characteristics. First, their organisational structures are relatively flat, and people from different organisational levels are accustomed to working with each other. Second, people are often required to multi-task, exposing staff members to the entire variety of processes and procedures used across the organisation.