Current Developments and Issues Affecting IS/IT Strategies.
‘Risk Assessment plays an important role in an organisation's strategic planning for managing data security'
Risk Management is an integral part of any Business Management System - it should be an organisations policy to proactively identify, understand and manage the risks inherent within the organisation and its business practices to encourage responsible and informed risk taking and seek to optimise the balance between risk and control.
The data held by an organisation is just as much of an asset to the business as any other item be it tangible or not - data and its handling is important to any organisation and should be treated accordingly. Data and information security have in recent years had an extremely high profile, a number of incidents have been highlighted and pursued in the press, this has increasingly given organisations more of a reason to take their approach to managing data security issues seriously. Particular attention was given to the loss of data relating to child benefit records and driving test candidates (Nov/Dec 07).
Using a Risk Management methodology allows for a systematic approach to identifying, analysing and controlling risks that may have the potential to cause damage or harm to an organisation. This approach can inform and formulate the organisations policies, objectives and procedures as well producing business action plans and prioritisation of available resources and assets.
Data security can be described as the practice of keeping data protected from corruption and unauthorised access - ensuring privacy and protection of the organisations data. The confidentiality, integrity and availability of any data are essential to maintain service levels, legal compliance and the public image and public perception of any organisation.
It is crucial that an organisation takes data security seriously and invests suitable resources to provide the necessary controls - customers and service users should have the necessary trust in the ability of an organisation to act appropriately when obtaining and holding data/information. Organisations considering data security should aim to reduce any threats, increase the safeguards put in place and reduces any vulnerabilities. The data held can be in different formats and can include data stored electronically on database systems, letters, spreadsheets, communications sent by email, stored digital video, speech recordings etc.
When dealing with data and its security an organisation has to consider the cost or damage any breach may have on the business or service be it through the loss, alteration, replication or disclosure of data. Lapses can lead to the loss of reputation and confidence even prosecution. In the UK, the Information Commissioner's Office (ICO) has been set up to police data privacy for individuals and the right to access certain public information. The ICO has recently consulted on the possibility of fines up to £500k for the worse breaches of the Data Protection Act 1998.
The following examples of legislation have implications with regard to data security:-
Data Protection Act 1998
Covers personal data used and held by organisations. A set of eight principles that forms the basis for best practice.
Companies Act 1985
Ensures that adequate precautions are taken against the falsification of records and the discovery of any such falsifications
Copyright, Designs and Patents Act 1998
Ensuring that only licensed or developed software is used by users
Computer Misuse Act 1990
Made it an offence to have unauthorised access to computer material, either with the intent to commit further offences or to modify computer material e.g. amendment, damage of data, introduce viruses
Freedom of Information Act 2000
Applies to public authorities and gives individuals rights of access to all types of recorded information held - implications on storage and retrieval of data.
Civil Contingencies Act 2004
Places a need for Local authorities to have Business Continuity Management arrangements - implications on the need to protect data through backup and resilience measures.
Examples of other implications include the Turnbull Report on internal control and risk management that gives directors of Stock Exchange listed companies the responsibility to act on IT governance, manage risks and computer security. Banks and financial-sector organisations are subject to the requirements of Bank of International Settlements (BIS) and Basel 2 framework, which deals with operational risk (including information/ IT risk).
Risk assessment (RA's) forms part of the overall risk management approach and will be the first process undertaken in assessing any risks and addressing any subsequent actions that may be required. RA's will be used to determine the extent of any potential threat and the risk associated with it - where risk is defined as “a potential future event which is uncertain in likelihood and consequence and if it occurs could affect a company's ability to achieve its objectives”. Appendix 1 provides an example template for recording the RA's details.
The output of this process helps to identify appropriate controls for reducing or eliminating a particular risk giving consideration to the likelihood of that event occurring and its vulnerability and the resulting impact of that adverse event on the organisation. Any RA's will have to consider the business context of the risk and its interrelated business functions.
The Risk management objective will be firstly to eliminate the risk or to reduce to acceptable levels for those that cannot be eliminated. Then either the organisation has to live with the risk by maintaining careful controls and countermeasures to keep the risks at ‘acceptable' levels or they will have to transfer them, by means of insurance or otherwise, to some other organisation.
The RA will be undertaken by firstly carrying out an asset identification exercise to assess any vulnerability. The areas covered at this stage will be made up of primary assets, which are business processes and their related activities along with any data/information held, and supporting assets which will include the hardware, software, network's, premises/sites, the organisational structure and its personnel. The RA should be undertaken by a competent person who has knowledge of the organisation and available controls and should include as many other staff and managers as possible.
The next stage is determining and listing all possible security threats and vulnerabilities for the assets identified. Threats can be deliberate, accidental or natural events. The list of data security threats and vulnerabilities are endless a few examples are given in the tables.
Fire, Water, Pollution, Destruction of equipment or media, Faulty equipment, Dust etc
Weather related including flood, earthquakes, fires
Loss of essential services
Power / Telecommunications and any other supporting utility.
Compromise of information
Loss or Theft of media or equipment, disclosure of data, eavesdropping, tampering with software or hardware, remote spying, retrieval of deleted data by third party
Equipment or Software malfunction or failure, System failure, power fluctuations,
Unauthorised use of equipment or access to data, copying of software, counterfeiting, corruption of data, illegal processing/changes to data
Compromise of functions
Errors in use, Abuse forging or denial of rights
Maintenance of equipment, Poor contingency in relation to power supply temperature controls, lack of care and protection. Incorrect disposal
Flaws, insufficient testing, no logout procedure, no audit trails, incorrect access rights, no system documentation, password management, change control issues, poor back-up procedures, uncontrolled access,
Vulnerable joints and cabling, unprotected servers and communication lines, poor network management, incorrect configuration.
Absence, incorrect recruitment, training issues re: security issues and competence, Supervision requirements, poor policies
Physical security of premises, access controls, site locations e.g. flood plain
Lack of procedures, monitoring, risk management, SLA's, continuity plans, audits, email usage policy, allocation of responsibilities, etc.
Following on from the above an assessment of the impact of a threat occurring and rate the likelihood of its occurrence.
Most organisation use a scoring risk matrix (similar to diagram below) to determine the level of the threat and helps to establish a prioritised list for action through a quantitative scoring system.
Because not all risks represent an equal significance to an organisation, each risk will be ranked high, medium or low in terms of both the likely frequency of occurrence and the likely impact on the organisation.
Many organisations establish a Risk Register that identifies all significant risks that may have a material effect on service objectives. The register will consider all potential risks facing an organisation and assess if there are any related or interconnected issues. Once a register has been, established consideration will then be made as to the likely countermeasures and mitigation for the threats allowing for effective decision-making.
Although high-level threats will be in need of attention first it is likely that a number of threats can be addressed quickly / easily with relatively low cost implications to the organisation and that addresses several threats even if these are considered a lower risk.
Implementing any controls or countermeasures will usually address any requirements of legislation or regulations, objectives of an organisation along with operational requirements it will also consider the costs involved in implementing and operating the controls considering the investment involved against the harm that may result from any failures.
Countermeasures implementation are very much dependent on the identified threat how to treat it may involve a number of changes that may in fact resolve or impeach on or introduce other risks. The ultimate aim of the countermeasures will be to address the baseline controls by reducing the threat, increase the safeguards and reduce the vulnerability. Countermeasures can involve anything from implementing an Organisational security policy, putting a lock on a door or banning the use of memory sticks. The following are some more examples.
Secure Access, Improved maintenance, quality brands, service requirements defined, introduce uninterrupted power supply units, controls on the use of memory sticks,
Back-up procedures, authentication controls, password changes imposed, installation of firewall and antivirus, introduce data encryption, password selection rules,
Securing assets, outsourcing, ensure cabling to recognised standards, agreements with providers,
Induction training, impose recruitment standards, background checks, supervision, clear desk policy, review of access rights, monitoring of usage, locking of computers, data handling procedures, limit internet use
Security imposed on sites, assessment of site locations, contingency and resilience plans for backup,
Introduction of procedures, adherence to controls, introduce audits and reviews, correct allocation of responsibilities, job descriptions, Risk management, Quality assurance,
The RA process is iterative and involves the monitoring and review of the countermeasures in place to see if they are achieving their set goal as well as revisiting and assessing whether there are any new threats or vulnerabilities to be considered.
There are a number of recommended approaches to Risk Assessment and Information Security along with a number of tools to help they can be quantitative or qualitative in approach and include CCTA Risk Analysis and Management Methodology(CRAMM), RiskPAC, CORA, COBRA
One way for an organisation to establish data security requirements is to follow a set of guidelines or standards the British Standards Institution (BSI) have developed a number of standards for information security that are now incorporated into the ISO 27000 set of standards.
The RAs model suggested by BSI for Information Security follows similar risk management approaches in other standards as well as following the plan-do-check-act cycle of quality assurance that aims for continual improvement.
Using the BSI standards provides improvements for an organisation through a process and system approach to management, allows for continual improvement and a factual approach to decision-making and the potential certification to a recognised business standard that can provide a level of assurance to customer and service users.
The use of Risk Analysis in relation to data security ensures that security controls for systems are fully proportionate with the risks having an overall picture of any requirements and involves everyone in the organisation not just the IT department or section this allows for IS/IT to be integrated strategically into the business. The self-analysis process provides a way to justify additional costs that will inevitably fallout from additional control requirements allows for department management and IT staff to have a more pro-active role and enhances their understanding of each other. RAs allows for better targeting of threats and vulnerabilities by accurately identifying requirements, enables issues to be identified at an earlier stage, and protects high-risk assets, it increases overall organisational awareness of data security issues for all staff. The approach gives the organisation as a whole a more consistent and objective way to assess their data security.
Example Risk Assessment form
Risk Assessment results are compiled by observing the vulnerability or threat and recording the results accordingly and will include the following:-
* observation number with description of observation
* description of threat-source/vulnerability
* identifying of existing security controls
* evaluation of risk with reference to risk matrix (e.g., High, Medium, or Low likelihood)
* Impact analysis evaluation with reference to risk matrix (e.g., High, Medium, or Low impact)
* Risk rating calculation from the risk-level matrix (e.g., High, Medium, or Low risk level)
* Finally any suggested controls or alternative options for reducing the risk
John Ward and Joe Peppard, 2002, Strategic Planning for Information Systems (3rd edition), John Wiley & Sons, ISBN 0470841478
Bernard Burnes, 2004, Managing Change (4th edition), Pitman Publishing, ISBN 0273683365
John Ward and P Griffiths, 1996, Strategic Planning for Information Systems, John Wiley & Sons,
Gwynedd County Council (NWTRA), Risk Management Procedures 2009