How to Address Enterprise-Shared Risk

September 1, 2009
/ Print / Reprints /
ShareMore
/ Text Size+

Organizations, both government and commercial, continue to increase in size and complexity, as well as in the way they derive value for their customers. As these organizations grow and mature, the departments and business units that comprise them increasing rely on supporting IT systems, networks and shared infrastructure to send and receive critical information. This reliance on shared and interconnected IT infrastructure, although necessary to help drive growth and to support the achievement of the overall mission, also introduces a new concern:  enterprise-shared risk.


Background

The concept of enterprise-shared risk is a concern for organizations that are relatively large and complex, or those that support a number of different business functions (i.e., value chains). These types of organizations are ultimately susceptible because they are comprised of numerous departments and business units that provide differentiated services. As a result, the organization’s different business units typically support distinct value chains and, more specifically, they have very different tolerance levels for risk acceptance (i.e., risk profiles).
     
For example, one business unit’s value chain might support academic research and development aimed at public dissemination, while another business unit’s value chain might be tied to selling and managing finance and investment portfolios. Because the two business units (although under the same umbrella organization) support distinct business requirements and needs, they have very different risk profiles. The risk profile for the business unit focused on academic research is most likely to be very low, as the business unit’s end goal is to distribute and share information and academic research to the public. As a result, this business unit would not focus on information security, nor would it want to allocate significant resources to the management and implementation of supporting information security controls. On the other hand, the risk profile for the business unit focused on finance and investment portfolio management would be much higher, as it is most likely to be very concerned about the protection of the confidential and private financial information that it handles. Logically, this business unit would stress the need for strong information security, and especially the need to employ effective information security controls on the network and IT systems that process the sensitive financial information.
     
There are numerous examples of when different business units, under the same larger organization or enterprise, support very different value chains and, consequently, have different risk profiles. Although this situation is common, the majority of organizations do not realize the potential negative impact a service delivery model being supported by shared IT infrastructure can have (and continues to have) on the ability of the organization to fulfill their overall mission effectively and efficiently.
     
The potential negative impact of different business unit’s managing unique risk profiles is illustrated when those business units leverage common IT infrastructure, or components of shared IT infrastructure. As a result, the funding, resources and energy spent by the business unit that has identified a need to manage to a higher risk profile are nullified. Through the “least-common-denominator” concept, a potential adversary levels the playing field by compromising the business unit with the lowest level of information security controls, and then traverses the network to ultimately compromise the business unit processing the targeted sensitive and confidential information. Under this scenario (illustrated in figure 1) nearly all of the efforts by the respective business units that managed to a higher risk profile (and who employ robust information security controls) are unable to stop the adversary from compromising their critical information. This scenario creates the potential for considerable cost and resource inefficiency affecting the entire enterprise.


Information Security Governance Framework

A proven approach to address enterprise-shared risk is to implement an information security governance framework that addresses the inherent business value of uniformly protecting information and information processes to a common baseline. Its key discriminator is that it focuses on the integration and coordination of information security activities across all component’s of an enterprise, with the goal of enabling the organization’s mission.
     
Executing an information security governance framework begins with the identification of the greatest information risks across the enterprise (with a focus on the identification of shared risks). Leveraging an “as-is” baselining assessment and an industry-specific benchmarking study (if desired), a tailored information security strategy, integrated with the overall organizational mission, can be generated for mitigating the identified risks. The resulting strategy identifies the key programmatic priorities and lays the foundation for the operational tempo of the business—all aligned under a clear policy and supported by a strong operational model. The framework enables executives and managers to make educated trade-off decisions, balancing the costs and benefits of pursuing a specific information risk posture.
     
There are five key components of a highly effective information security governance framework that every organization should address:
  1. As-is baselining. The as-is baselining study identifies the current state of information security for the organization. This study is designed to assess information security functions against a framework of applicable industry and compliance drivers. Additionally, it is designed to identify the strengths and weakness of how the organization currently addresses information security across the enterprise and includes both management and functional perspectives.
  2. Benchmarking. The benchmarking study provides a strong understanding of how information security functions were solved by similar organizations. This examination provides awareness of potential pit falls and proven strategies for avoiding them. The study also identifies possible efficiencies for implementing information security functions. Key to this exercise is the identification of best practices for how to address specific information security requirements and industry drivers.
  3. “To-be” information security strategy. The strategy leverages the results of the benchmarking and as-is baseline studies to formally establish the information security program vision, goals and objectives. Additionally, the strategy captures the organization’s overall information security value chain and process, along with a high-level road map for implementing the program and achieving the stated program goals and objectives.
  4. Information security operating model. The operating model identifies and formalizes the organizational structure for the information security program. It includes the identification of all key stakeholders, a determination of what role they should play in the overall program, as well as identification of where they sit within the larger program. Additionally, this structure includes an interaction model that illustrates how and when key stakeholders communicate, as well as the key management and functional processes and how they work.
  5. Information security policy. The policy identifies the specific organizational roles and responsibilities that support all information security activities, and captures the accepted information risk posture for the organization.    

 

 Implementing an information security governance framework is more than just building the individual components. These components must be developed and implemented in a coordinated manner with buy-in from senior leadership across the organization. The enterprise-wide accepted risk posture and baseline should set and drive all other information security and risk management activities.



Summary

An information security governance framework is a powerful, results-oriented, strategic approach to identify and address enterprise-shared risk. By building the necessary components with an integrated framework to address the shared risks to an organization, organizations can design a program with repeatable processes that lowers risk exposure to an acceptable baseline level. For organizations concerned with proactively managing risk in an uncertain, ever-changing threat environment, implementing an information security governance framework is a must.  

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+