Many companies embark on their risk management strategies from a single perspective, and do little more than put automated tools in place that will monitor activities for patterns and trends, and alert appropriate personnel when an abnormal or out of the ordinary event occurs.
However, risk management is not nearly that simple. Related strategies are complex and multi-faceted. Even the slightest oversight can put sensitive or confidential data in jeopardy – and result in stiff monetary penalties or negative impact to the company’s image and reputation. So, in order to ensure optimum security of their IT infrastructure, organizations must make their risk management initiatives as comprehensive as possible.
A truly complete risk management strategy must include the
following steps:
- Risk assessment. Identify all probable threats, and
prioritize them based on their likelihood and their potential impact.
- Asset audit. Build a list of all information
assets, including databases, applications, files, and other sources that
contain data that may subject to breach. Carefully evaluate each, and assess their vulnerability
to an attack.
- Process definition.
Create and document the procedures for the ongoing monitoring and analysis
of all software, hardware, and virtual information assets. These defined activities must be
readily accessible to and clearly understandable by all key
stakeholders. They must also
be strictly enforced, with specific penalties outlined for those who put
information at risk by failing to adhere to written guidelines.
- Tool selection. Determine what types of technology
solutions may be needed, and evaluate and select a suite of automated
tools to assist in the monitoring and alerting process.
- Incident response. Define step-by-step workflows for
responding to and investigating (when needed) a potential breach. This must not only include a list
of all required tasks and activities, but rigid timelines for executing
them.
- Assignment of resources. Determine who will be responsible for the various aspects of risk management, and clearly highlight the roles and responsibilities of each key stakeholder. Be sure to define a chain of command, as well as a contingency or succession plan to minimize disruption to risk management when assigned resources are unavailable, or when they leave the company.
The last, and perhaps most important, step is ongoing enhancement. Continuously test and evaluate the various components of the strategy, including tools and technologies being utilized, and make refinements as needed. This is particularly important after the detection of a breach event, when a post-response de-brief can help facilitate the creation of best practices (for those processes that proved to be effective) and result in lessons learned (for those procedures that did not work).