We hear many times that this is the information age and that data is the new gold. The “Big Data” trend encapsulates this and focuses our minds on the potentially huge amounts of data our businesses have access to, both internal and external. Data and information is therefore a potentially high value asset but just like a gold mine, it needs to be mined and refined into something valuable and protected.
Due to the explosion of available information and the ever increasing importance of using this information to provide our business with the information resources it needs to function, information risk management has never been more critical for business.
This article considers information risk management as part of an overall Enterprise Risk Management (ERM) framework.
The starting point for information risk management is to identify all sources of information that is used and managed by the organisation. This requires the development of an “Information Asset Register”. This should include such things as:
- Information Asset Name
- Type: Electronic / physical
- If electronic: Production, Test or Back-up
- Type of storage: Server, laptop, desktop, mobile device, web, USB key, physical (filing cabinet) etc.
- Type of information (field descriptors)
- Purpose /use of information
- Location (geo location)
- Number of records
- Relevant external obligations over information. Is the information public or private? For government, unclassified / protected etc.
- Information / Storage owner
- Methods of write access (add, amend, delete)
- Methods of read access (web, intranet, print etc.)
- Parties with write access
- Parties with read access
Figure 1: Example of an Information Asset Register
The second stage is to identify the objectives of information management. Risk is defined as the effect of uncertainty on objectives. Information risk is therefore the risk of uncertainty on information objectives. Information objectives should include:
- Availability - as and when required
- Integrity - completeness, accuracy, timely / up-to-date
- Confidentiality – only able to be accessed and read by authorised parties
- Compliance – complies with relevant external obligations (e.g. Privacy Act)
The third stage should consider the risks that exist, which could prevent the objectives being achieved. For example, what would prevent the information from being available, as and when required? What would prevent the information form being accurate etc.?
The risks should be grouped according to the objectives they affect and would therefore be categorised under:
The fourth stage requires the identification and recording of the key control over each of the identified risks. These will include such things as: access controls, cryptography, physical and environmental security etc.
We are now in a position to carry out risk assessment and monitoring. As part of an overall ERM process, the key risk management techniques will be:
Risk and Control Assessment
For each information asset, we can identify the key risks and key controls. We then assess the level of risk (using likelihood of occurrence and potential impact if it were to occur) on both an inherent and residual level, after taking into account an assessment of the effectiveness of controls. This will then allow is to evaluate the risks against a predetermined risk appetite as a precursor to deciding whether we will accept, avoid or further treat the risks.
From the risk assessment, we should identify the key controls for each information asset and risk and develop a controls assurance testing program which is then periodically carried out so as to provide ongoing assurance that the key information risk controls are working effectively.
We should instigate a formal process around the identification and management of any information risk incident, covering and of the key risks identified.
Key Risk and Control Indicators
Key risk and control indicators provide potentially early warning indicators that certain information risks are rising and / or key controls are not operating effectively. It then allows us to react accordingly and deal with the rising threat / control issue prior to it becoming an incident. Indicators may include such things as:
Key Risk Indicators
- Number of records
- Number of system users
- Number of dormant users
- Volume of new data
- Number of laptops
- Number of website hits
Key Control Indicators
- Number of weeks since passwords changed
- Number of staff not police checked
- Number of days since virus software update
These techniques allow ongoing assessment and monitoring of the key information risks facing our business. The information gathered from this process should then be communicated to management in an easy to understand manner that allows the identification of key issues so that they can be dealt with immediately.
Figure 2: Reporting Dashboard - courtesy of our Partner Trust in People, in The Netherlands
The above approach will provide you with a strong information risk management process and in addition, is in line with the ISO 27001: Information security management systems standard. This standard focuses on information security and therefore the information objectives of confidentiality, integrity and availability.
If you would like to know more about how to build a first class information risk management capability for one of your most valuable assets, please contact firstname.lastname@example.org.
 ISO 31000: 2009 Risk Management Principles and Guidelines