Risk Management Insights

I want to join the BLOG

information security management

Infographic: Information Risk Management Framework


In previous articles, we have talked about the increasing importance that data collection and data management have in business strategy. On this occasion we are inviting you to consider, what are you doing with the information that the company is receiving and storing? Is there a robust process to manage, secure and protect it in an effective way and is that process an integral part of your Enterprise Risk Management framework?

In the infographic below you will see the four key stages that should make up the process. The starting point is to identify all sources of information that are used and managed by the organisation. To do this, you need to design an "Information Asset Register". Once this has been developed, you can then apply risk management to manage the risks that could stop your information management objectives being achieved.

Read More

Security Risk Management, information security management

Cyber security – will we ever be safe?

I recently read an article in the @TheEconomist (April 8 edition) entitled The Myth of Cyber Security, a somewhat depressing article on the poor state of cyber security globally. The author discussed numerous reasons behind the current problems:

  • Software complexity and speed of development
  • Users failure to protect themselves
  • The technology industry’s inability to self regulate and accept liability for product flaws

The last point drawing comparisons to the car industry in the early 1960’s. It was not until the government forced their hand on safety did the industry’s attitude change.  The author considered that perhaps additional government intervention could be beneficial to the technology sector.  Examples included increased reporting requirements for companies that are hacked, forced default password changes and legislated timeframes for fixes to "at risk" products.

Read More

Security Risk Management, information security management, ISO 27001

Information Security Risk Management: An Interview with Peter Walker, Protecht Group Chief Information Officer

In this blog post, Peter Walker, Protecht's Chief Information Officer, answers some questions around information security and getting ISO 27001 certified.

Why are you concerned about information security?

I receive notifications of data breaches and information security reports with lessons learned on a daily basis. The number, magnitude and consequences of these incidents continue to rise. As Protecht's CIO, it’s a sobering thought when you are managing other people’s highly sensitive data.

While we have always had information security processes and procedures in place for many years, I recognised the need to do more and to be able to quickly demonstrate to the Protecht Executive Team and external parties that we had in place a robust and effective information security risk management framework in place. As a separate driver, we needed to be able to demonstrate to our Australian Commonwealth Government clients and prospects that we met the very stringent information security management requirements of the Australian Signals Directorate.

Read More

Security Risk Management, information security management, Risk Management

Cloud Computing- Food for Thought


The move towards cloud computing is exciting for many businesses. Not only are they able to realize cost savings through lesser maintenance of their own IT systems, many cloud tools enable new levels of sharing, collaboration and ease of access, which can transform the way businesses work.

However, wider adoption of cloud computing leads to increased scrutiny, both from users and regulators. The availability, integrity and confidentiality of data remains critical for any business regardless of whether it is stored on site or in the cloud. Thus prior to entering any hosting or cloud arrangement, companies should have a robust process in place to evaluate the service.

Read More

Security Risk Management, information security management

Data risk: a growing risk for companies and great opportunity for hackers

One of the biggest obstacles for organisations is understanding where critical data resides and how it is currently protected. Apart from the production environment, copies of important or sensitive data is also stored in back-ups, data warehouses and test environments.  These environments may be less protected than the production environment.  Data risk is a growing risk for companies and a great opportunity for hackers.

Recently, a well-known travel agency was hacked and almost 1 million customer records were exposed.  Although, the production environment was secure, the test environment which was less secure was also accessible from the internet which facilitated unauthorised access to sensitive customer data. Data Risk Management should therefore focus on the data, as recommended by the international security standard ISO27001:2013.

Read More

Compliance Management, Security Risk Management, Enterprise Risk Management, information security management

Information Risk Management as part of your ERM framework


We hear many times that this is the information age and that data is the new gold.  The “Big Data” trend encapsulates this and focuses our minds on the potentially huge amounts of data our businesses have access to, both internal and external. Data and information is therefore a potentially high value asset but just like a gold mine, it needs to be mined and refined into something valuable and protected. 

Due to the explosion of available information and the ever increasing importance of using this information to provide our business with the information resources it needs to function, information risk management has never been more critical for business.

This article considers information risk management as part of an overall Enterprise Risk Management (ERM) framework.

The starting point for information risk management is to identify all sources of information that is used and managed by the organisation.  This requires the development of an “Information Asset Register”.  This should include such things as:

  1. Information Asset Name
  2. Type:  Electronic / physical
  3. If electronic:  Production, Test or Back-up
  4. Type of storage: Server, laptop, desktop, mobile device, web, USB key, physical (filing cabinet) etc.
  5. Type of information (field descriptors)
  6. Purpose /use of information
  7. Location (geo location)
  8. Number of records
  9. Relevant external obligations over information. Is the information public or private? For government, unclassified / protected etc.
  10. Information / Storage owner
  11. Methods of write access (add, amend, delete)
  12. Methods of read access (web, intranet, print etc.)
  13. Parties with write access
  14. Parties with read access
Read More